What WordPress site owners need to do about the HeartBleed vulnerability
[Updated 10:26am EST]: Here is where you can test whether your site is vulnerable to HeartBleed. Note that it may not be legal to test sites that don’t belong to you, so don’t do that.
[Updated 10:17am EST]: Added a more comprehensive response for site owners running their own server.]
There is serious vulnerability which has been dubbed HeartBleed in the OpenSSL library which is what most sites on the internet use to allow their visitors to connect securely to their websites. On a scale of 1 to 10 when it comes to security vulnerabilities for WordPress site owners, HeartBleed is an 11.
The bug allows remote attackers to read 64k of memory of systems running the newest versions of openssl which do not contain the fix. That means an attacker can read your server’s memory and pluck out usernames, passwords, the secret keys of your SSL/TLS encryption to crack secure communications and other sensitive information.
Apache and Nginx are the most popular web servers on the Internet and they are the largest users of openssl which contains this vulnerability. Together they comprise 66% of market share of all servers on the Net according to Netcraft. These servers are by far the most common used for WordPress sites which is why HeartBleed affects so many WordPress sites.
What to do:
If you don’t run a WordPress site that uses HTTPS (which lets your users connect securely using their web browser) then you don’t have to worry about this. [Edit: Please see the “larger impact of this vulnerability” below]
If you do have HTTPS enabled on your WordPress site, even if you aren’t transmitting sensitive information, you need to respond to this threat immediately. Here is what you need to do about HeartBleed as a WordPress site owner:
If you use a hosting provider, as most WordPress site owners do:
If you use a hosting provider then you usually don’t control your site at the operating system level. So check with your WordPress hosting provider to find out TWO things:
- Were they vulnerable to HeartBleed?
- Have they fixed it?
If your WordPress hosting provider was vulnerable to HeartBleed then you need to ask them if they have revoked and reissued their SSL/TLS site certificates. The reason they need to do this is because the SSL/TLS private keys for your site may have been read from server memory and compromised.
If they haven’t fixed it then they need to fix it urgently because it has been 2 days since the public (and some are saying irresponsible) disclosure of HeartBleed.
If your WordPress hosting provider was vulnerable to HeartBleed, you need to change all admin passwords on your site and you need to email all your users and ask them to change their passwords. The reason for this is because your server memory was temporarily readable by any attacker and they may have read user passwords or other sensitive info from your memory. For example, the popular site ArsTechnica has been hit by this issue and is asking their users to change their credentials.
The larger impact of this vulnerability
While your WordPress site may be affected and may have been targeted, it’s more likely that high profile sites would have been targeted to steal user information and decrypt secure channels. With that in mind it’s important that you change your usernames and passwords on the Net, particularly sites that you have signed into since April 7th when the vulnerability was released.
If you run your own WordPress site at the operating system level:
OpenSSL versions 1.0.1 and 1.0.2-beta releases are affected including 1.0.1f and 1.0.2-beta1. Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
Upgrading or recompiling OpenSSL will patch the vulnerability but you also need to revoke your SSL certificates and reissue them because they may have been stolen from your server memory by a remote attacker.
You also need to be aware that chunks of 64k of memory in your web server were made available to the larger Internet since 7th April, 2014. With this in mind you should think about what may have been stored in that memory and respond accordingly. This would include any data that was sent to your server via an HTTP POST request. This most commonly includes username/password combinations but could also include credit card info.
The best approach is to make users aware of HeartBleed, what info may have been disclosed and recommend an appropriate response. In most cases this will be a recommendation to change passwords on sites purely using SSL for authentication. However if credit cards were being processed, this may extend to monitoring credit cards for fraudulent activity. You need to use your judgement and knowledge of the kind of data being received/transmitted by your web server via HTTPS to recommend an appropriate action.
Are we vulnerable at www.wordfence.com?
No. We are running a version of openssl that is not vulnerable, so thankfully we were not affected by heartbleed.