{"id":163,"date":"2014-12-02T21:58:36","date_gmt":"2014-12-02T21:58:36","guid":{"rendered":"http:\/\/www.ahosting.net\/blog\/?p=163"},"modified":"2014-12-02T21:59:19","modified_gmt":"2014-12-02T21:59:19","slug":"keeping-your-website-safe-from-wordpresss-xss-vulnerability","status":"publish","type":"post","link":"https:\/\/www.ahosting.net\/blog\/keeping-your-website-safe-from-wordpresss-xss-vulnerability\/","title":{"rendered":"Keeping Your Website Safe From WordPress\u2019s XSS Vulnerability"},"content":{"rendered":"

Last month, a Finnish IT company by the name of Klikki Oy identified a critical vulnerability in WordPress<\/a> \u2013 one which has been present in the platform for approximately four years. It allows attackers to enter comments which include malicious JavaScript. Once the script in these comments is executed, the attacker could then do anything from infecting the PCs of visitors to completely hijacking the website; locking the original administrator out of their account.<\/p>\n

\u201cProgram code injected in comments would be inadvertently executed in the blog administrator\u2019s web browser when they view the comment,\u201d explained security expert Jouko Pynonnen<\/a>. \u201cThe rogue code could then perform administrative operations by covertly taking over the administrator account. Such operations include creating a new administrator account, changing the current administrator password and, in the most serious case, executing attacker-supplied PHP code on the server. This grants the attacker operating-system-level access on the hosting server.\u201d<\/p>\n

Yeah, it\u2019s pretty bad.<\/p>\n

Believe it or not, it actually gets a whole lot worse. According to Ars Technica, the exploit could, based on current usage statistics, affect upwards of 86% of WordPress-powered websites<\/a>. The good news is that WordPress has already issued an update which patches out this vulnerability along with several other, unrelated bugs. It\u2019s also worth mentioning that WordPress 4.0, released in September, is also invulnerable to the attack.<\/p>\n

Version 4.0 can be downloaded here<\/a>; 4.01 here<\/a> – I\u2019d advise installing one of them as soon as humanly possible.<\/p>\n

Of course, for many websites, that might not be an option<\/a>. Upgrading immediately might mean sacrificing functionality on a number of critical plugins, many of which might not be compatible with the new version. So…assuming you can\u2019t immediately apply the patch to your WordPress server, how can you make sure you\u2019re still protected?<\/p>\n

There are a few methods.<\/p>\n

First and foremost, Klikki reports that Akismet\u2019s comment plugin is able to filter any comments attempting to make use of the exploit. For websites that don\u2019t use Akismet, Klikki has released a plugin of its own; one which neuters the exploit by disabling texturization<\/a> (something you could also do manually, with a PHP workaround). Finally – and this may not be an ideal solution either – you might consider disabling comments altogether until you can patch your site.<\/p>\n

After all, attackers can\u2019t exploit a feature that doesn\u2019t exist, right?<\/p>\n

By far, this is the biggest security vulnerability that\u2019s been revealed in WordPress in years. The ability to lock an administrator out of their website with a few pieces of code isn\u2019t something to be taken lightly. As such, this isn\u2019t something you can afford to ignore – if you want to keep your website safe, secure, and completely under your control, you need <\/b>to take action.<\/p>\n

Trust me – you\u2019ll sorely regret it if you don\u2019t.<\/p>\n

Image: Flickr\/Marina Shemesh<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Last month, a Finnish IT company by the name of Klikki Oy identified a critical vulnerability in WordPress \u2013 one which has been present in the platform for approximately four years. It allows attackers to enter comments which include malicious JavaScript. Once the script in these comments is executed, the attacker could then do anything […]<\/p>\n","protected":false},"author":2,"featured_media":164,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-163","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ahosting.net\/blog\/wp-json\/wp\/v2\/posts\/163","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ahosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ahosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ahosting.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ahosting.net\/blog\/wp-json\/wp\/v2\/comments?post=163"}],"version-history":[{"count":2,"href":"https:\/\/www.ahosting.net\/blog\/wp-json\/wp\/v2\/posts\/163\/revisions"}],"predecessor-version":[{"id":166,"href":"https:\/\/www.ahosting.net\/blog\/wp-json\/wp\/v2\/posts\/163\/revisions\/166"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.ahosting.net\/blog\/wp-json\/wp\/v2\/media\/164"}],"wp:attachment":[{"href":"https:\/\/www.ahosting.net\/blog\/wp-json\/wp\/v2\/media?parent=163"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ahosting.net\/blog\/wp-json\/wp\/v2\/categories?post=163"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ahosting.net\/blog\/wp-json\/wp\/v2\/tags?post=163"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}