Yesterday, March 11, 2015, an update was released for the WordPress SEO plugin by Yoast to fix a security vulnerability that was discovered in the code. According to WPTavern, WPScanVulnerability Database issued a security advisory after alerting the plugin’s author. During a scan, they found the plugin vulnerable to a Blind SQL Injection.
With over 1 Million installations, this is something that needs to be taken seriously by developers, WordPress site owners, and the Internet community to make sure that people are updating their site, if needed.
Understanding the Vulnerability
For those more technically inclined, who want more –http://wptavern.com/blind-sql-injection-vulnerability-discovered-in-wordpress-seo-plugin-by-yoast-immediate-update-recommended
For the less technical, a SQL injection attack occurs when SQL (the language used to query WordPress databases) is used to access information in your database and potentially add information into your WordPress database.
Developers work to make sure that their plugins only allow proper execution of code, but sometimes even the most competent developers leave an opening for hackers. The key is that responsible developers, like Yoast, respond quickly and fix issues when they are found.
Although the vulnerability was found, it does not mean that your site was under attack. The vulnerability was found in the plugin and immediately fixed, so you need to update the plugin and you should be fine.
Some web hosts have automatically updated this plugin across all of their sites and servers. Several of our sites on Siteground had already been updated when we logged in to apply the update. However, do not count on your host or your web developer to do this for you. It is recommended you login to your site and make sure this is updated.
To update the WordPress SEO plugin
- Login to your WordPress dashboard. By default the login page is http://yourdomain.com/wp-admin. Note that you may have changed this for security purposes. If so, enter the link to your login page.
- It is recommended to run a backup before updating your website. How to Create a backup depends on your site configuration.
- From the Dashboard, select Plugins. This will open the Plugins listing page.
- Scroll down until you see WordPress SEO. The latest version is 1.7.4. If you are running anything earlier, you should have an option to update the plugin. Click on Update. The update will take a few seconds to run, and you should be fine.
How to Scan Your Site for Malware
Want to scan your website to see if anything is amiss? Select the Sucuri Site Scan link, below. Enter the site you want to scan and click the Scan Website button.
While no security scan is 100%, the guys at Sucuri have helped many times when our clients have had site issues. The following shows a scan of this site, https://whiteglovewebtraining.com
Note that no malware is found and no high level security risks are found. A medium risk was listed for not having a Website Firewall. If you want higher levels of security, or if you need PCI compliance for your https shopping cart, then adding Sucuri’s Website Firewall can be of great value. This is also a perfect option to secure your site if you are in a situation where you cannot upgrade the software because of plugin conflicts. For more information on the website firewall visit, Sucuri Firewall.
What to Do if You Are Hacked
Almost anything online has some security risk. In reality, the same is true offline, but many beginners are less comfortable with online security because it can seem elusive. Fortunately, we have Sucuri. If you have been hacked, these guys can fix it.
If you have a solid backup, you may be able to restore the backup and return to your previous safe site. In this case, you should restore the backup, then run the Sucuri security scan shown above to view the results. If you show clear, you may want to wait before purchasing the cleaning and monitoring package.
Note that you may want to test this more than once and also visit the site from a variety of computers and devices, like phones. Some, intermittent attacks will redirect visitors to a porn site infrequently, or only when viewed by certain devices. The scan may not catch these each time.
If you choose to have your site cleaned, this is the best service I have found. They are very knowledgable and reasonably priced. Plus, when you purchase the package, the clean the site now, and will also clean it for the next year, if it happens to have another attack. You may just want to go ahead and buy this for the peace of mind it can provide.
Stay tuned for more security updates. If you have questions, please leave them in the comments below.