Although issues were reported a month ago by a user named kisscsaby
on the WordPress forums, it has taken a month for Google to catch the
issue with two infected plugins. Over 25% of all WordPress websites were
hacked and the grand total of affected websites is thought to be in the
hundreds of thousands. These were two very popular plugins that were
downloaded over 6 million times. It’s certainly shocking that such
plugins were able to be hacked in the first place and that the issue
managed to remain out of sight by Google for 30 days.
The problem is that the plugins transmit a serious vulnerability to the websites that they hack. Called remote code execution, or RCE, it enables an attacker to execute any commands on a target machine. Both of the plugin authors have since published new versions of their plugins that have disabled the vulnerable functions. However, the effect of the two earlier plugins has been seen across a vast number of websites.
Upgrading your website often is one of the most important things you can do to keep your website safe from hackers.
Need help? Contact Paveya
The problem is that the plugins transmit a serious vulnerability to the websites that they hack. Called remote code execution, or RCE, it enables an attacker to execute any commands on a target machine. Both of the plugin authors have since published new versions of their plugins that have disabled the vulnerable functions. However, the effect of the two earlier plugins has been seen across a vast number of websites.
How to tell if your site was affected:
If you are using a third-party service, you should be fine. However, for those WordPress sites that have comments enabled, these plugins can cause some real issues. To test to see if your website has been affected, leave yourself this comment: <!–mfunc echo PHP_VERSION; –><!–/mfunc–>. If your reply shows the version of your server’s PHP install, you’ve got a problem. This means that anyone who replies can pass on commands to your server and those commands will then be executed by remote code execution.Was your site compromised? Protect yourself.
The significance of these hazardous plugin issues should not be brushed off. Any user that is enabled to comment on your website can exploit it. How can you protect yourself? Upgrade your WordPress. The latest upgrades can be found on the WordPress.org repository. Use WP Super Cache and W3TC Total Cache. Also, as an alternative, we recommend WP Super Cache which can be found here.Upgrading your website often is one of the most important things you can do to keep your website safe from hackers.
Need help? Contact Paveya
No comments:
Post a Comment