The Latest WordPress Vulnerabilities: Why You Should Pay Attention And How To Fix Them

No Comments


Developing a website requires the use of different types of website creation tools. One of the most popular and widely used tools is WordPress. It is written in PHP, an open source and popular scripting language that is especially useful for web development. It is a powerful, easy to use, and highly flexible tool.

WordPress is now the most widely used blogging and web content management system in the world. Large corporations, celebrities, news outlets, and bloggers use it every day. This is why the latest vulnerability disclosures affecting WordPress were greeted with alarm by many webmasters.

What’s more, according to WordPress, the disclosures did not follow widely accepted protocol. This left many sites exposed and vulnerable to attacks longer than was necessary. Anyone using WordPress therefore needs to know exactly what these vulnerabilities are and how to fix them.

Here is an explanation how they may affect your website and what to do about it.

What are WordPress plugins?

Plugins, or add-ons, are simply software components that are useful for customizing a webpage, by adding features to the existing software. WordPress is designed as a lean and light tool, and therefore requires plugins to add custom features and greater functionality.

A web developer can use WordPress plugins to add more capabilities, options and choices in WordPress. This includes functions like ecommerce payment systems, order fulfillment, weather reports, spell checking, among many others. Plugins may be installed, deactivated, updated or deleted.

Assess your WordPress Security by taking this 5 minute test.

How do WordPress vulnerabilities affect your site?

The last few days have witnessed a flurry of disclosures concerning the vulnerability of WordPress plugins. The disclosures mainly concerned several WordPress plugins in the 4.2 versions or earlier of the software. These plugins included:

•WordPress SEO
•WP Touch
•Google Analytics by Yoast
•Broken Link Checker
•Gravity Forms
•Easy Digital Downloads

It emerged that these plugins and many others were vulnerable to cross-site scripting or CSS. This was a result of vagueness in the WordPress Codex and documentation for the add_query_arg and remove_query_arg functions.

CSS is a security vulnerability found mostly in web applications. It is one of the most common hacking techniques, and can help an attacker steal sensitive client data such as credit card details and personal information.

It allows a hacker to bypass access controls on the site, and insert malicious code in a user’s machine to collect sensitive data. An attacker can also change administrator passwords and have administrator privileges on the site.

A separate disclosure of a 0day in the WordPress core engine also came to light. This vulnerability allows for malicious insertion of JavaScript in the comments field.

Assess your WordPress Security by taking this 5 minute test.

How to fix these vulnerabilities

As soon as these problems became known, WordPress worked with other developers to fix them. As a result, WordPress has rolled out the latest 4.2.1 update, which contains patches for these bugs.

If your website is set to automatically upgrade plugins, then your site has most likely taken care of the problem. Administrators can disable comments if they are not sure the plugins are updated.

You can also download the updates by going to Dashboard>Updates>Update Now. Developers should escape the two WordPress functions before using them. This can be done by using the esc_url() function.

Assess your WordPress Security by taking this 5 minute test.

What to do in future

All software will develop bugs at some point. It is therefore important to take precautions to protect your site at all times. This can be done by:

•Scanning your site regularly for outdated software using site checking tools
•Updating software and outdated plugins
•Keeping an eye on your logs, so as to be aware of what’s happening on your site
•Using a firewall to stop CSS attacks
•Restricting admin access and logging in as the site admin only when necessary

Keeping your site up to date and secure can prevent identity theft and other hacker attacks. These can jeopardize website reputation and ruin your online business.

Assess your WordPress Security by taking this 5 minute test.

Website Cheat Sheet to convert customers online

Free SEO Audit Tool

See how optimized a specific web page, landing page, or blog post is for an exact keyword or phrase

About us and this blog


Hi I'm Dave Russell CEO & Founder of OneFishTwoFish and we are Digital Marketing Strategists that deliver compelling solutions to help you attract, engage and convert more of your ideal clients online.

We devise strategies that help websites dramatically improve their ability to compete and thrive online. Why not book in for a complementary strategy call with our experts.

Click here to book

More from our blog

See all posts
No Comments