Over a million websites that use WordPress SEO by Yoast are at risk due to a blind SQL injection vulnerability found. WPScan Vulnerability Database released an advisory after it had disclosed the vulnerability to the plugin’s author.
“The latest version at the time of writing (18.104.22.168) has been found to be affected by two authenticated (admin, editor or author user) Blind SQL Injection vulnerabilities.
The authenticated Blind SQL Injection vulnerability can be found within the ‘admin/class-bulk-editor-list-table.php’ file. The orderby and order GET parameters are not sufficiently sanitized before being used within a SQL query.”
Yoast quickly responded with a patch and released the version 1.7.4:
“Fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor. Added strict sanitation to order_by and order params. Added extra nonce checks on requests sending additional parameters. Minimal capability needed to access the bulk editor is now Editor. Thanks Ryan Dewhurst from WPScan for discovering and responsibly disclosing this issue.”
Immediate Update Recommended
GreenGeeks real-time security scanning is already protecting our customers from this vulnerability. While GreenGeeks has real-time monitoring in place to catch such vulnerabilities and pro-actively protect our customers from exploit, we strongly urge all of our customers to update their WordPress SEO plugin by Yoast immediately to avoid any potential issues in the future. Best practice is to ensure that all of your plugins and WordPress core files are up-to-date at all times.
Researchers at Fox-IT released a white paper regarding an increasing threat to content management systems they’ve named CryptoPHP.
What is the CryptoPHP Backdoor?
CryptoPHP is a threat that uses backdoored Joomla, WordPress and Drupal themes and plug-ins to compromise webservers on a large scale. By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social engineering site administrators into installing the included backdoor on their server.
Operators of CryptoPHP currently abuse the backdoor for illegal search engine optimization, also known as Blackhat SEO. The backdoor is a well developed piece of code and dynamic in its use. The capabilities of the CryptoPHP backdoor include:
- Integration into popular content management systems like WordPress, Drupal and Joomla
- Public key encryption for communication between the compromised server and the command and control (C2) server
- An extensive infrastructure in terms of C2 domains and IP’s
- Backup mechanisms in place against C2 domain takedowns in the form of email communication
- Manual control of the backdoor besides the C2 communication
- Remote updating of the list of C2 servers
- Ability to update itself
What We’ve Done For Our Customers
GreenGeeks is always working to ensure maximum security for our customers. Here’s what we’ve done since learning about the CryptoPHP backdoor.
- Checked all clients data. Affected clients were notified and we’re working with them to resolve. Only 0.001% sites on our network were affected.
- Added advanced real-time security rules to protect against new instances.
- Updated GGS real-time malware scanning tool to find out affected data more quickly
- Updated the list of known holes to check servers periodically.
What You Can Do to Protect Against These Kinds of Infections
- Download & use plug-in’s that are from reputable & verified sources.
- Ensure the latest versions of plugins & core CMS code is up to date.
- Download security scanning tools such as iThemes Security or WordFence
Google reported in a blog post today the discovery of a security vulnerability with SSL version 3.0. Our engineers were notified of this vulnerability before the announcement was made public and have made the necessary changes to disable access to SSL 3.0 on our core infrastructure.
Unlike the HeartBleed vulnerability, most of our users will not be impacted from this change. However, those that are using outdated web browsers (Internet Explorer 6 for example) will be unable to connect securely to our control panel and website.
If you’re using an outdated web browser, simply download the updated versions or download newer clients such as Mozilla Firefox or Google Chrome. These browsers utilize an enhanced security protocol known as TLS, which has the ability to automatically update keeping you secure in the future.
SSL Version 3.0 will be disabled on Firefox on November 25, but you do not have to wait for this to be released. You can download a plugin that will allow you to set the minimum SSL version. If you’re using Internet Explorer, simply go to Settings -> Internet Options -> Advanced Tab -> Uncheck SSLv3 under Security.
Our system engineers are working to disable SSL version 3.0 across all of our servers. This will be done in segments to ensure there is no impact your websites.
You can learn more about this issue by reading Google’s report
As always, you’re more than welcome to contact our support if you have any questions and/or concerns.
The newest WordPress version, called Benny after Benny Goodman (WordPress 4.0), has been released. It promises to streamline users’ overall experience. The changes for WordPress 4.0 bring a more visual impact to the WordPress platform. They are small tweaks with a big visual outcome to the user’s content management experience.
Continue reading “WordPress 4.0: See Features & What’s New”
GreenGeeks, a leader in providing green energy web hosting solutions, is proud to announce its 2014 ranking at 2095 on Inc. Magazine’s 500|5000 Fastest Growing Companies list, putting the company amongst the elite firms representing America’s fastest growing companies.
Continue reading “GreenGeeks makes Inc. 5000 America’s fastest growing companies list 2nd year in a row”
Update: Google announced on December 18, 2015 that they have begun to index HTTPS URLs by default. This means that if both an HTTP and HTTPS (the secured version of the url) are both available, they will automatically choose to index only the HTTPS version. This is the case even if inbound links point mainly or only to the HTTP version of the url. According to Google this is the next step in their “HTTPS everywhere” initiative.
It’s not often that Google divulges any information about how it ranks websites on its search engine and usually leaves the process up to businesses and SEO experts to focus on creating quality websites. However, recently Google announced that the use of HTTPS on a website will be considered a ranking signal in their search algorithm. This will ultimately help the Internet become much safer and secure as webmasters work to take advantage of the search result benefits.
Continue reading “How to improve your SEO ranking on Google with SSL”
GreenGeeks is proud to announce today that all of our existing customers have been upgraded to servers utilizing solid state drives (SSD) as part of our commitment to offering the best hosting experience. New customers are automatically provisioned onto the SSD hosting platform. Continue reading “GreenGeeks Makes Solid State Drives (SSD) Standard on its Web Hosting Plans”
We haven’t posted a cool green gadget for a while and while this isn’t really a “gadget” it’s definitely on point with what we’re trying to push; a greener planet.
The Earth has over 11 million miles of paved roadways, all of which absorbing heat energy from the Sun… well, imagine if we could harness the energy from the Sun from the roadways?
Enter Solar FREAKIN’ Panel Roadways… here’s a cool Video put together about it:
Scott & Julie have started an Indiegogo campaign to raise funds to further develop & implement the technology.
WordPress is one of the world’s most popular and powerful content management systems. It’s ease of use and customization make it perfect for creating a website regardless of a user’s skill level. But to get the most out of the system, you need a powerful host to back it up. Fortunately, GreenGeeks automates much of the process letting web developers, content writers and small businesses focus on what they do best while leaving optimization of WordPress hosting platform aspects to us. Continue reading “5 Reasons GreenGeeks is the Best WordPress Hosting Provider”
My name is Trey Gardner and I am the CEO of GreenGeeks which I believe is the greenest web hosting company on the internet. In a few paragraphs I’ll go into the details of how eco-friendly we are compared to our competition but first I’d like to talk about why it is so important to choose a green, eco-friendly web hosting company.
Continue reading “Greenest Web Hosting on the Planet”