Update To WordPress 4.2 Over The Weekend? You May Be Under Attack!
Did you update your WordPress content management system to version 4.2 over the weekend? If so, then your site may currently be vulnerable to an attack in your comments system through what is called a Stored Cross Site Script (or XSS).
This XSS vulnerability in WordPress security presents attackers with the opportunity to exploit an issue in the way comments are stored in the database of your site. Once the attacker has access to your database, they can create a wide variety of issues for you, including:
- Inserting malicious scripts
- Inserting SEO spam
- Inserting a backdoor in the site’s code to run when an admin is logged in
UPDATE: At about 2:30pm Eastern Time, WordPress released a patch update to address this issue. Click here to download WordPress 4.2.1 immediately.
In the short term, it is best to disable comments on your site if you are running the standard WP commenting system and do not have any type of comment spam filtering setup (like Akismet, for example) until a patch is available. At the time I am writing this, commentor’s on a post about the vulnerability on Sucuri’s blog admit that developers at WordPress are aware of the issue and working on a patch.
That said, the original reporter of this vulnerability (tip of the hat to Klikki Oly, btw) mentioned that a similar issue reported in 2014 took nearly 14 months to get patched, so you might not want to wait this one out.
Below you will find a list of options for protecting your site against this WordPress 4.2 Stored XSS security vulnerability along with insights on how Netrepid protects its customers (and can protect your site, too) from issues like this today – and in the future.
How You Can Protect Your WordPress Website From The Stored XSS Security Vulnerability
Because this is a comment attack, protection against this vulnerability is fairly easy. Below are a few options you have if you currently have a commenting system that is unprotected.
- Disable commenting on your site until a patch is provided directly by WordPress
- Enable a comment spam prevention tool like Akismet (editor’s note: we use Akismet on our blog here at Netrepid)
- Enable a hosted website firewall like the one powered by Netrepid (more on that below)
The easiest solution is probably to install Akismet. Akismet comes packaged in every WordPress installation, and if you are willing to create a free account on their site, you can get an API key to use their spam prevention tools.
In addition to the hosted firewall we use at Netrepid to protect our website from a variety of attacks, we also use Akismet to protect our blog from comment spam and other vulnerabilities like Stored XSS.
Longer term, you may want to look into adding a hosted firewall application to protect you from attacks like this – and a variety of other harmful threats to your web security.
How Netrepid Protects Its Customers From The Stored XSS Attack
Our hosting services are protected behind clustered, highly available firewalls. As a way to prevent injection attempts like Stored XSS, our firewalls do deep level packet inspection on all traffic (inbound and outbound), block common ports, and analyze all traffic patterns.
Whether you host your website with Netrepid or not, we strongly recommend putting an application level firewall in place for any of your hosted services (email, website, intranet, etc.). Firewalls like this block things like:
- Bot scans
- Malicious scans
- Entry attempts
- DDOS attacks
- Site vulnerabilities
- Other elements that cause performance issues
For more information on that and all of our services for website hosting, please check out our website hosting page.