One week after HeartBleed, 1% of WordPress sites we tested running SSL are still vulnerable
Highlight: Wordfence 5.0.4 is currently in beta and will be released tomorrow around noon. Wordfence scans will now check if your site is vulnerable to HeartBleed.
We just completed an audit of 9000 WordPress websites to see how many are still vulnerable to HeartBleed.
The methodology we used is safe to run on production servers and is described by David Chan (a security engineer for Mozilla) in this blog entry.
Out of the 9000 sites we checked, 4107 WordPress sites have SSL enabled. We ignored sites with invalid certificates. Of those with currently valid certificates, we found 43 sites still vulnerable to the HeartBleed openssl vulnerability.
That gives us a percentage of 1.04% of all WordPress sites running SSL that we checked are still vulnerable to having their server memory accessed using the openssl HeartBleed vulnerability.
The risk from a site owner point of view on the sites that are vulnerable is:
- Attackers can read your WordPress, CPanel, myphpadmin and other usernames and passwords.
- Attackers can steal data from users who are securely submitting forms to your site. If you’re accepting credit cards, they can steal credit card info from forms POST’ed to your site.
- Attackers can steal your site private keys and, while technically complex, can impersonate your website.
With this in mind, we have added scanning for the HeartBleed vulnerability to the newest version of Wordfence 5.0.4 which will be released to the general public tomorrow. If you’re interested in Beta testing this release, you can find Wordfence 5.0.4 Beta1 here.
You can join the Wordfence Beta program here if you’re interested in helping us test early releases of Wordfence.