WordPress 3.x Security Warning: Malicious Code Hidden in Comments
That annoying comment might be more than spam telling visitors how to solve their intimacy issues, or how to make easy money at home. Instead, it may be malicious code that could hijack your site, lock you out completely, and even take over your server as a whole -- a nightmare for larger companies that store more than a simple webpage on their servers.
Fortunately, the bug, discovered by Finnish IT security company Klikki Oy, was reported to WordPress months before being made public, and security patches are already being automatically (no pun intended) deployed. The bug affects an estimated 86 percent of WordPress sites (those running any unpatched version of WordPress 3 -- version 4.0, which was released in September, are not affected). The exploit uses text input fields, such as the enabled-by-default blog comments feature, to deploy malicious code.
Wait, Malicious Comments?
Exactly. The bug is exploited by posting malicious code in a text-entry field, such as a blog comment field. When a WordPress administrator views the comment, the code is executed in the viewer's web browser, allowing the hacker to perform administrative tasks. According to Klikki Oy:
Such operations - demonstrated by our proof of concept exploits - include creating a new administrator account (with a known password), changing the current administrator password, and in the most serious case, executing attacker-supplied PHP code on the server. This grants the attacker operating system level access on the server hosting WordPress.
That may be gibberish to some, so we'll say this: it is bad. It's like a squatter walking into the back door of your house and changing your locks, all by posting a blog comment.
The simplest fix, as always, is to update your WordPress installation. You can do it by logging in and clicking the update button -- WordPress is really easy to keep up-to-date. (As always, backing up before updating is good advice.) If you are holding off for some reason, such as plug-ins or themes that won't play nice with WordPress 4, a security patch is automatically deploying to most sites running 3.7.4, 3.8.4, and 3.9.2. (If you're on anything older than that, you really need to upgrade, as WP does not support older versions.)
If you are already on WordPress 4.0, you'll also want to click the update button: a security update for that version addresses eight other security issues.
- WordPress Security Bug: Don't Log In From Public Wi-Fi (FindLaw's Technologist Blog)
- 5 Killer Features in WordPress 3.9 'Smith' (FindLaw's Technologist Blog)
- WordPress in One Hour for Lawyers? Good Tips, Wrong Medium (FindLaw's Technologist Blog)
You Don’t Have To Solve This on Your Own – Get a Lawyer’s Help
Meeting with a lawyer can help you understand your options and how to best protect your rights. Visit our attorney directory to find a lawyer near you who can help.