Millions of websites running WordPress are being strongly urged to update to the latest version of the popular content management system as soon as possible, after a serious security vulnerability was uncovered.
Anthony Ferrara, who discovered the WordPress flaw, starkly summed up the situation:
“Today, a significant SQL-Injection vulnerability was fixed in WordPress 4.8.3. Before reading further, if you haven’t updated yet stop right now and update.”
Ironically, the release last month of WordPress 4.8.2 was intended to protect against the vulnerability, but – according to Ferrera – it actually “broke a lot of sites” and “didn’t actually fix the root issue (but just a narrow subset of the potential exploits)”.
Ferrera says that he informed the WordPress team of the problem straight after the release of 4.8.2, but was effectively “ignored for several weeks.”
According to Ferrera, the newly-released 4.8.3 security update does thankfully mitigate the problem, but reading his blog post about his interactions with WordPress’s security team you can feel his frustration:
“Security reports should be treated “promptly”, but that doesn’t mean every second counts (usually). I get that there are competing priorities. But show attention. Show that you’ve read what’s written. And if someone tells you it seems like you don’t understand something, stop and get clarification.”
“And ask for help.”
“Overall, I hope the WP security team moves forward from this. I do honestly see hope.”
You can download the latest version of WordPress (4.83) from the WordPress website, or go to Dashboard / Updates on your admin console and choose “Update now”.
Some WordPress installations support automatic background updates which means they should already be beginning to update themselves to the latest version.
Automatic updates are not for everyone of course, and many site admins working inside organisations are wary of rolling out new versions of software on their web servers before they have a had a chance to test that they won’t introduce other problems.
The sad truth is that many websites out there are still running older, vulnerable versions of WordPress, and this may not be the only exploit that could be exploited.
Running your own WordPress-based site can be a considerable job. It’s time-consuming ensuring that WordPress and its third-party plugins are always up-to-date and working properly to fend off attacks.
The chances of having your site being hit by hackers can be reduced putting a web application firewall in place, which will attempt to filter and block malicious web traffic before it can exploit any weaknesses.
It’s worth remembering that websites running self-hosted versions of WordPress from wordpress.org are different from the many millions of blogs which run on wordpress.com. WordPress.com, run by Automattic, manages the installation of WordPress for you, and looks after security on your behalf.
Although there are some limitations on what website owners can do on WordPress.com, they can always be sure that they are running the latest version of WordPress.
written by Graham Cluley, ESET We Live Security