Article

Critical Zero-Day Vulnerability in WordPress Core Engine

Critical Zero-Day Vulnerability in WordPress Core Engine
December 31, 2016

Unlike 3rd party vulnerable plugins, WordPress confirmed today that a critical vulnerability in its core content management engine exists. This core security  vulnerability allow hackers to conduct a remote code execution on the Web server it is being hosted on in order to take full control of it.

How Does It Work

Hackers can inject malicious JavaScript code into the comments section that appears at the bottom of your WordPress blogs or article posts. Ultimately, this would allow hackers to change passwords, add new administrators accounts or completely take down your website. This is what we call a cross-site scripting attack.

WordPress Versions Affected

The vulnerability affects the WordPress versions 3.9.3, 4.1.1, 4.1.2, and the latest WordPress version 4.2.

What To Do

At a minimum you or your webmaster need to update the WordPress core engine to the latest released version WordPress 4.2.1 that was released few hours ago. Next step should be disabling the comment system, only if it is not being used. Third, update all WordPress plugins to its latest versions.

Important Tips

Be Proactive: don't wait until you hear that a new vulnerability was discovered. Always update the WordPress core engine and plugins.

Backup: back to basics, always backup your WordPress site so it can restore your hacked WordPress installation.

Remove vs. Disable: remove unused plugins vs disabling it. The same applies to unused themes. If you don't use it, remove it.

An Ongoing Need to Stay Up-to-Date

Unfortunately and as usual, WordPress CMS used by millions is vulnerable again and site owners fail to understand the disadvantages of not being proactive with their maintenance and not utilizing a web maintenance service to constantly monitor and backup their WordPress sites. While you should focus on running your business, trying to be a passive webmaster is an open door invitation for hackers.

eLab Communications offer several maintenance and hosting packages specific to WordPress websites. Contact us today for a complimentary website health check and to discuss your available maintenance options. Fill out the form on the right or call us Toll Free 888.624.8321 - Local 831.375.7600



<< Previous Next >>