Blind SQL Injection Vulnerability Found in WordPress SEO Plugin

A blind SQL injection vulnerability has been discovered in the popular WordPress SEO plugin by Yoast. An advisory was issued by the WPScanVulnerability Database after responsibly disclosing the vulnerability to the plugin author:

The latest version at the time of writing (1.7.3.3) has been found to be affected by two authenticated (admin, editor or author user) Blind SQL Injection vulnerabilities.

The authenticated Blind SQL Injection vulnerability can be found within the ‘admin/class-bulk-editor-list-table.php’ file. The orderby and order GET parameters are not sufficiently sanitized before being used within a SQL query.

The latest version of WordPress SEO by Yoast (1.7.4) contains a patch for this vulnerability. The changelog reads: “fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor.

We have scanned all websites with an active VaultPress plan and updated the WordPress SEO plugin to version 1.7.4 where necessary. If there are cases where we’re not able to update the affected plugin ourselves, we will e-mail the website owners to make sure they are aware of this.

If you use the WordPress SEO by Yoast plugin, we strongly recommend that you make sure you are on the latest version. You can update this plugin by visiting Dashboard Updates in your WordPress dashboard, selecting WordPress SEO by Yoast, and clicking the Update Plugins button.

As always, drop us a line if you have any questions or need any help!

Posted in General, Security | Leave a comment

Vulnerability in WP-Slimstat Plugin

A vulnerability has been found by Sucuri in the WP-Slimstat plugin, which affects all versions up to 3.9.5. The vulnerability may allow attackers to inject SQL commands into your database, allowing them to make arbitrary changes.

If you use the WP-Slimstat plugin, we strongly recommend that you update to version 3.9.6 as soon as possible. You can update this plugin by visiting Dashboard  Updates in your WordPress dashboard, selecting WP-Slimstat, and clicking the Update Plugins button.

As always, drop us a line if you have any questions or need any help!

Posted in General, Security | Leave a comment

Remote Access Options on VaultPress

VaultPress will always back up your website, even if it is only connected through the registered plugin on your WordPress website.

However, to really speed things up and take advantage of our automated restore system, we recommend enabling one or more remote access options on the Settings page of your VaultPress dashboard.

In addition to faster backups and restore functionality, providing us with remote access lets us access your server in an emergency, and improve support response times.

VaultPress currently offers the following remote access options:

SSH 

SSH stands for Secure Shell, and it’s a secure way to remotely access a server. SSH provides full access to your server, including your database, so we’ll be able to troubleshoot faster if something goes wrong.

Not all hosts or hosting plans allow SSH access, but if you have SSH credentials we recommend adding them.

Learn more about SSH, and how to enable it for VaultPress.

SFTP

SFTP stands for SSH File Transfer Protocol (or Secure File Transfer Protocol). SFTP allows us to connect to your server securely, but it only provides access to your files, and not your database. We always recommend that you use SSH and SFTP over plain FTP.

Key-based Authentication

VaultPress can connect using SFTP or SSH with key-based authentication, instead of a password. In order to set this up, you have to add the public key shown on the Settings page of your VaultPress dashboard to the .ssh/authorized_keys file on your server. That will allow VaultPress to connect without using a password.

Not all servers will support key-based authentication, so you should contact your hosting provider for further details.

FTP

FTP (File Transfer Protocol) is the most widely-used protocol for accessing files on web server. However, FTP is an insecure protocol that should only be used in limited cases on networks you trust. We do not recommend using plain FTP, if you have SFTP or SSH available to you.

Common questions

Where can I find my remote access credentials?

VaultPress uses the remote access credentials to directly connect to the server where your website is hosted. You should be able to find the credentials by referring to your hosting provider’s documentation, or by asking them. Please refer to this guide for more details, or drop us a line.

Do I need to create a special VaultPress user?

No, VaultPress will work with any username as long as the credentials supplied are valid.

What permissions need to be in place?

The FTP/SFTP/SSH username you configure on VaultPress needs to have full (read/write/execute) permissions over the public folder (usually, “public_html”) on your server.

As always, if you have any further questions, please feel free to drop us a line. We’re happy to help!

Posted in General, Help | Leave a comment

FancyBox for WordPress Vulnerability

A vulnerability has been discovered in most versions of the Fancybox-for-WordPress plugin. This vulnerability makes it possible for attackers to inject malicious code into affected sites. If you’re using this plugin, you should immediate upgrade to the latest version.

Our security scanner has been watching for affected versions of Fancybox-for-WordPress on all VaultPress sites with security plans for the past few days. If you have already received a notification about this, please upgrade the plugin as soon as possible.

As this issue is widespread, we are also manually scanning all VaultPress-protected sites for vulnerable versions of the plugin regardless of your plan level. We will contact affected site owners directly by email, advising you to upgrade.

If your site uses a vulnerable version of Fancybox-for-WordPress, you can upgrade it from your WordPress dashboard:

  1. From your WordPress dashboard, navigate to Dashboard → Updates
  2. Scroll down to the “Plugins” section
  3. Select the “Fancybox-for-WordPress” plugin from the list, and click the “Update Plugins” button.
  4. Wait for the plugin update to download and install.

Alternately, if you are unable to upgrade plugins from your dashboard you can download the latest version of the plugin directly from WordPress.org.

As always, please let us know if you have any questions!

Posted in General, Security | Leave a comment

WordPress Security Q&A with VaultPress Vaultkeeper

Running a WordPress website means that you have to stay up-to-date with the best security measures in order to protect your website and data from any threats. 

VaultPress Vaultkeeper and lead developer, Mark George, is joining us today for a Q&A on the best ways to stay safe online, and to protect your WordPress website.

How did you find out about WordPress and what were your first impressions?

I’m a latecomer. I first played with WordPress about 4 years ago, when I needed to throw together a quick website for some software I had written. 

Back then, my typical approach to building websites was to throw together some raw HTML, CSS and add a splash of Python or Perl as necessary.

But that was always time-consuming; I just wanted a basic page up quickly without much fuss so I decided to try WordPress out.

When I first started with it, I found it really frustrating. I knew it was a valuable tool for people who didn’t know how to build sites on their own, but I had years of experience building standalone sites. Every tweak I needed to make to the CSS, every line of custom code I had to add to my own plugins, I kept reflecting on how much easier it would be to use the tools I already knew and start from scratch.

But I stuck with it, and I’m glad I did. Once I got used to the way WordPress works and its APIs, I came to appreciate both how flexible it is, and how valuable it is to have a huge pool of prebuilt themes and plugins to draw from when building sites.

Even when you know how to build all that stuff yourself, you don’t want to waste time on it for every site you build.

When did you start working on the VaultPress project? 

I started in early 2013. In 2012, I had been working for a version control hosting provider for 6 years running. I’d built their hosting system from scratch working with only one other developer initially, and I needed something new to sink my teeth into. 

I had heard about Automattic, and was pretty impressed with WordPress at that point so I decided to apply. I hadn’t heard of VaultPress yet, and just wanted to work with the talented and interesting folk behind WordPress.

I came on board in January of 2013, and started to learn how VaultPress’ backup engine worked. Since then, I’ve rewritten most of it. I’ve worked with VaultPress and contributed enough to its development that I feel it’s my baby now, even though I didn’t start the project.

Internet security is a widely discussed topic today. What is the most important piece of security advice you would give to every WordPress site owner out there?

Keep every layer of your software stack up to date; everything from your OS kernel, up to your CMS. Software security is an ongoing and escalating arms race between hackers and developers, so falling behind is really dangerous.

Out-of-date plugins, themes and WordPress core installations are dangerous and should be updated. Modern versions of WordPress support automatic updates, and I strongly recommend enabling that. 

Just last year, hundreds of thousands of sites were infected through a vulnerability in the Slider Revolution plugin which had been patched months prior. Had those site owners kept their software up-to-date, they wouldn’t have been vulnerable.

Outside of vulnerable plugins and themes, it’s also common for hosting providers to limit their customers to plain old insecure FTP for file management. In my opinion, users should avoid hosts that don’t offer more secure file management protocols (such as SFTP or SSH). 

You can never make anything perfectly secure, but staying up-to-date is a key step in keeping up with the arms race.

WordPress is currently used on 23.3% of websites worldwide and is on track to reach 25% before the end of the year. As WordPress becomes more popular, do you think it’ll become a bigger target? How do you think this should be addressed?

WordPress is already one of the biggest targets on the internet. Despite that, core WordPress has remained reasonably secure and free from hacks. The core WordPress development team are some of the most skilled programmers in the world. I feel they should be commended for their excellent work. 

As I mentioned before, most attacks on WordPress sites have been made possible by vulnerabilities introduced by plugins and themes. I feel that as WordPress use grows, we need to focus on training and resources for plugin and theme developers to help keep the rest of the ecosystem as secure as its core.

What do you do to stay secure online? 

I use 1Password to manage my credentials. It allows me to keep a separate random password for every service I interact with. I don’t know most of my passwords at all; I just let 1Password handle them for me.

Wherever available, I use 2 factor authentication. Everyone should turn it on for their WordPress.com accounts; it’s an excellent security feature. 

If you were to create a WordPress site from scratch, what would you do to make sure it’s secure? 

I would install VaultPress on it!

I’d also keep my plugins and themes up-to-date, and be extremely selective about which ones I use. 

I tend to prefer Open Source software, and avoid commercial plugins whenever possible. Open Source software allows more people (including myself) to review the code, leading to better security.

Posted in General, Security | Leave a comment