On February 2nd, 2016, WordPress announced that a security update had been released. This new update takes WordPress to Version 4.4.2 and according to the developers, the “strongly encourage you to update your sites immediately.”

Two vulnerabilities in WordPress Core were discovered and fixed:

1. A Server Side Request Forgery Vulnerability

A Server Side Request Forgery (SSRF) vulnerability allows an attacker to gain access to systems internally and exploit authentication services. For detailed information on SSRF attacks, please see this document and information compiled by ONSec Labs.

2. An Open Redirection Attack

An open redirection attack allows an attacker to redirect users and is a common method used in phishing schemes. A malicious attacker could send a URL that contains parameters that redirect the user to another website that has been disguised and can trick the user to believing they are on the original site.

What You Should Do About This WordPress Update

Our clients that have signed on to our WordPress security and update services do not have to worry. Their sites are being backed up, updated, and tested for compatibility right now, if they have not already had the security update applied.

If you have a WordPress site and are not signed up to our program, you will need to log into your site and apply the update as soon as possible to ensure your site is not attacked.

You should back up your WordPress installation before applying any updates. After applying updates, check for plugins that also need to be updated as well. After all updates have been applied, it is a good idea to check your website to ensure that any plugins and/or custom coding is compatible with the new WordPress version. There are times when a security update “breaks” websites due to new code that is incompatible with older plugins that have not been updated.

WordPress Auto Updates

WordPress can be configured to apply updates automatically, and on the surface, this seems like a good idea. However, as noted above, there have been times when updates have caused websites built on WordPress to not function correctly (although they are secured with the update). The reason for this is because additional functionality is often provided by custom coding or the installation of plugins which may not be compatible with a new WordPress Core version.

If an auto update is applied and you don’t check your website for several days, you may discover that it has not been working correctly – and you’ve lost potential new business as a result. You can read more about the dangers of auto-updates here.

I Didn’t Update And Now My Site Has Been Hacked

Many business owners and managers simply don’t have the time to keep track of all the updates that happen and sometimes, their websites get hacked. It can be pretty scary to realize that Google has posted a warning about your website in the search results, and in addition, visitors wanting to visit your site may see a very scary warning in their browser advising potential visitors that your website is vulnerable and may cause damage if they continue on to your site.

Fixing up a site that has been hacked can take a lot of time, especially if you don’t have full backups (both a database AND file system backup) available. Even if you do have full backups, it can still take time away from your business to restore everything and then apply updates as required.

If you’re not comfortable with trying to get it done on your own, we can help you get your site back up and working again. Give us a call at (519) 940-3504 or email us.

The best remedy is prevention in the first place; consider getting into our WordPress Security program so you don’t have to worry about spending time away from your business to apply updates, ensure your website is working, or worry about your site being hacked.

Either way, get your WordPress updated asap!