Do you have a WordPress site? If so, you might want to check that it hasn’t been compromised—especially if you have the “All in One SEO Pack,” which is an extremely popular plug-in. While WordPress sites are designed to be incredibly user-friendly, making it simple to create a website or blog yourself, a number of web design companies also use the platform. Just because you’re not directly managing your online presence doesn’t mean you’re not at risk.
Immediate action is required, which includes upgrading the beloved SEO plug-in to the brand new version which was just released in order to fix the bugs and restore your website’s safety. According to researchers at Sucuri, a web security firm, there are two major flaws with the plug-in: Attackers can get access by upping their privileges (basically making themselves administrators without your consent), and they can then poison the site with “malicious code.”
What This Means for Site Owners
Sucuri researchers posted their own blog Saturday, May 30 2014 saying “If your site has subscribers, authors and non-admin users logging in to wp-admin, you are at risk. If you have open registration, you are at risk, so you have to update the plugin now.” The plug-in is so popular because it lets WordPress content get auto-optimized for better indexing.
In other words, search engine crawlers (including the biggies like Google and Bing) can enjoy better ranking, which leads to better search results. It’s nearly a requisite for WordPress sites to have this plug-in if the goal is to get higher and more relevant rankings. WordPress announced that the plug-in was downloaded 18.5 million times before the flaw in the latest version was found.
A Hacker’s Playground
Just about anyone can exploit one of the flaws, from a subscriber to an author, which lets them change descriptions, meta tags and even the SEO title. This isn’t a big deal unless it’s used maliciously, such as if a random hacker decides to target your site or if the competition catches wind of the vulnerability and uses this opportunity to “take you down” (to the dredges of search results). If you’re not a major corporation and don’t have any enemies, you may be safe, but it’s not worth the gamble.
On Sunday, June 1 2014, WordPress officials advised everyone to upgrade the plug-in to the 2.1.6 version. You can download the upgrade directly, or get it from the plug-in’s admin panel. This isn’t the first time WordPress sites have been targeted as attackers have come to enjoy pinpointing the platform’s vulnerabilities. Themes and plug-ins are especially big targets.
This doesn’t mean you have to stop using WordPress—but it does mean you need to stay on top of vulnerabilities and act accordingly.