Critical WordPress Flaw Goes Unpatched for Six Weeks…Relax, You Can Keep WordPress

Today the headlines on security blogs roared the news of another WordPress bug. Those headlines draw lots of eyeballs and click-throughs, because WordPress is the number one CMS in the world with an estimated 27% of all sites running WordPress. WordPress detractors gleefully repost, tweet and whisper. In staff meetings and small businesses across the country, questions abound:

  • Is our site affected?
  • How could the WordPress people let this happen?
  • Should I/we dump WordPress?

This issue comes at an interesting time for WordPress. Only versions prior to V5.0 are affected, but V5.0 came with the new block editor (code-named Gutenberg) installed standard, so many site owners put off installing the new version until they had time to learn the new editor.

If you are running a version of WordPress prior to V5.0. be aware that this flaw exposes the ability for a user logged in with Editor credentials (one step below Admin) to execute code on the web server. That’s not good, but let’s remember that the user has to be logged in as an Editor, which means that they came by those credentials either by tricking a user into revealing them, or through a brute force attack on the WordPress login. Brute force means a bot program tries likely combinations until they guess a good one. Because an Editor’s user name is often exposed in a blog article (it’s usually the same as the Author name), the bot already has half of that combo to work with, so it just needs to guess the password.

How to address the WordPress threat

So what do you do to address this threat? Many of the same things you should have done to secure the site in the first place, as I have written about before:

  • Upgrade to the latest version. Learn to use the new editor, there won’t be another such change for awhile. Set your site for automatic updates.
  • Review your User’s list, delete any that are no longer in use.
  • Require new passwords for all users (YOU TOO). Ensure that these are strong passwords.
  • Install a plugin that can manage brute force attacks by limiting the number of unsuccessful logins before locking a user out. The Wordfence plugin does this in addition to other useful things, but there are other choices. Two factor authentication is another possibility that should be considered.

Why did the WordPress team let this bug go for so long?

The answer is, they didn’t. There are bugs in every piece of complex software. Some can go for years without being recognized. In this case an independent team of researchers exposed the bug, notified WordPress and WordPress fixed it.

Is WordPress Unsafe?

Should you dump WordPress in favor of a “safe” static HTML site? In the first place, a static site is no more secure than WordPress. Or at least it is only as good as the methods used to secure it, same as WordPress. It is well to be wary of agencies urging you to drop WordPress because they claim it isn’t secure, in favor of HTML, because in doing so you are probably giving up the capability to update the site with your own resources, unless you employ a developer. These agencies may be trying to get you into a maintenance contract that will be difficult to leave. At Oinkodomeo, we don’t consider this kind of “chaining” to be good business, but others think it’s a perfectly valid method for client retention and recurring revenue streams.

Don’t fall for the sensationalist headlines

In closing, I want to say something about the sensational headlines some security blogs use as click-bait. I recommend that you read at least one of them, as I do, because they usually report the facts of the matter concisely and in clear language. You DO need to understand these threats as they occur, but overall the advice to guard against them is the same as I explained above. If you like WordPress, keep WordPress, and get BLOGGING!

Steve Glass is Oinkodomeo’s Chief Martech Officer and ten-year WordPress veteran.