WordPress is expected to release an update on the 18th of August. Why is that important to you?
The newest update is said to focus mainly on stronger password protection, a more powerful admin UI, and a better experience for mobile users. It also addresses the latest vulnerabilities that have been discovered to the platform, and make it harder for users to harm or misuse your site, whether on purpose or by accident.
There are quite a few very popular WordPress plugins that have recently been found to make systems on which they are installed vulnerable – or potentially vulnerable – to hackers, malware and all the evil that lurks out there on the net. Most of these vulnerabilities are actually pretty minor. Most are actually non-issues, but a few are serious security flaws which need to be fixed.
The good news is that the next update will eliminate quite a few of these problems, but what should you know about the threats until 18 August?
So, what is currently vulnerable?
There are quite a few vulnerabilities, but you can see whether any of the plugins you have installed host vulnerabilities with, wait for it… another plug-in. This is only one of many security plugins available and not one I specifically endorse.
Just to give you an example, there is a known vulnerability present in a popular plug-in called Twenty Fifteen. The problem is in one component of the plug-in called genericons. I use this example because WordPress currently installs Twenty Fifteen by default, so many of you do actually have this plug-in, and this vulnerability.
Genericons contains a cross site scripting (XSS) flaw which can form an avenue for malicious code to be sent directly to a user’s browser, bypassing the firewall at the server. Of course, the user would still have to click on a link that was set up with the intention of exploiting this vulnerability. But none of you have ever clicked a dodgy link just to see what would happen, have you?
How authentication affects vulnerability
A few types of attack can be made by an unauthenticated user – someone who is not logged in and is almost certainly accessing your server remotely. These are often the really bad ‘hacks’ where your business or personal data can be stolen, and your site itself can be infected by software that will hijack it to distribute malware or spam. Vulnerabilities that make it possible for an unauthenticated user to harm your site are really big deals, and are generally the highest priority to be fixed when it comes to releasing an update.
If a vulnerability only makes an attack possible for an authenticated user, there is generally less cause for alarm. Still, many websites have a great deal of authenticated low-level users, and not all of them practice good data security. A user with a stolen password could still cause a lot of trouble. These issues are seen as less of a priority than unauthenticated attacks, but they still get fixed in good order.
Last, there are vulnerabilities that can only be abused by high-level users, like site owners, administrators, blog editors, etc. These are often seen as less of a security priority because these users are already trusted to make big, important changes to the site, and to access much of its data. To use an analogy, your night security guard has a ring of keys that can open every door in the building so he can make his rounds. You discover that, by accident, one of his keys also opens the cabinet that holds the printer paper. Is it a security flaw? Yes. Is it something that needs to be fixed? Maybe. If there is time. It’s not a big deal for most people.
But what can I do?
Most of the time, it will be enough to make sure your website is using the latest version of WordPress, and the most up-to-date versions of all of your plugins. If you have a WordPress maintenance package, this will be done automatically. If not, you’d best do it manually or sign up.