What WordPress site owners need to do about the HeartBleed vulnerability
[Updated 10:26am EST]: Here is where you can test whether your site is vulnerable to HeartBleed. Note that it may not be legal to test sites that don’t belong to you, so don’t do that.
[Updated 10:17am EST]: Added a more comprehensive response for site owners running their own server.]
There is serious vulnerability which has been dubbed HeartBleed in the OpenSSL library which is what most sites on the internet use to allow their visitors to connect securely to their websites. On a scale of 1 to 10 when it comes to security vulnerabilities for WordPress site owners, HeartBleed is an 11.
The bug allows remote attackers to read 64k of memory of systems running the newest versions of openssl which do not contain the fix. That means an attacker can read your server’s memory and pluck out usernames, passwords, the secret keys of your SSL/TLS encryption to crack secure communications and other sensitive information.
Apache and Nginx are the most popular web servers on the Internet and they are the largest users of openssl which contains this vulnerability. Together they comprise 66% of market share of all servers on the Net according to Netcraft. These servers are by far the most common used for WordPress sites which is why HeartBleed affects so many WordPress sites.
What to do:
If you don’t run a WordPress site that uses HTTPS (which lets your users connect securely using their web browser) then you don’t have to worry about this. [Edit: Please see the “larger impact of this vulnerability” below]
If you do have HTTPS enabled on your WordPress site, even if you aren’t transmitting sensitive information, you need to respond to this threat immediately. Here is what you need to do about HeartBleed as a WordPress site owner:
If you use a hosting provider, as most WordPress site owners do:
If you use a hosting provider then you usually don’t control your site at the operating system level. So check with your WordPress hosting provider to find out TWO things:
- Were they vulnerable to HeartBleed?
- Have they fixed it?
If your WordPress hosting provider was vulnerable to HeartBleed then you need to ask them if they have revoked and reissued their SSL/TLS site certificates. The reason they need to do this is because the SSL/TLS private keys for your site may have been read from server memory and compromised.
If they haven’t fixed it then they need to fix it urgently because it has been 2 days since the public (and some are saying irresponsible) disclosure of HeartBleed.
If your WordPress hosting provider was vulnerable to HeartBleed, you need to change all admin passwords on your site and you need to email all your users and ask them to change their passwords. The reason for this is because your server memory was temporarily readable by any attacker and they may have read user passwords or other sensitive info from your memory. For example, the popular site ArsTechnica has been hit by this issue and is asking their users to change their credentials.
The larger impact of this vulnerability
While your WordPress site may be affected and may have been targeted, it’s more likely that high profile sites would have been targeted to steal user information and decrypt secure channels. With that in mind it’s important that you change your usernames and passwords on the Net, particularly sites that you have signed into since April 7th when the vulnerability was released.
If you run your own WordPress site at the operating system level:
Here is the official HeartBleed vulnerability announcement on openssl.org.
OpenSSL versions 1.0.1 and 1.0.2-beta releases are affected including 1.0.1f and 1.0.2-beta1. Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
Upgrading or recompiling OpenSSL will patch the vulnerability but you also need to revoke your SSL certificates and reissue them because they may have been stolen from your server memory by a remote attacker.
You also need to be aware that chunks of 64k of memory in your web server were made available to the larger Internet since 7th April, 2014. With this in mind you should think about what may have been stored in that memory and respond accordingly. This would include any data that was sent to your server via an HTTP POST request. This most commonly includes username/password combinations but could also include credit card info.
The best approach is to make users aware of HeartBleed, what info may have been disclosed and recommend an appropriate response. In most cases this will be a recommendation to change passwords on sites purely using SSL for authentication. However if credit cards were being processed, this may extend to monitoring credit cards for fraudulent activity. You need to use your judgement and knowledge of the kind of data being received/transmitted by your web server via HTTPS to recommend an appropriate action.
Are we vulnerable at www.wordfence.com?
No. We are running a version of openssl that is not vulnerable, so thankfully we were not affected by heartbleed.
I have SSL certificate on my Wordpress site which I bought from Comodo and I do not use OpenSSL. Do I have a problem?
Which SSL certificate or provider does not affect whether or not you have an issue.
If you don't run openssl on your web server, then you're fine. But make sure you understand what this means.
I will talk with Bitnami administrators about all.
In the remote case that your WP login was compromised in this way, then having the SSL very reissued will not invalidate any WP session cookies, so I would recommend updating your wp-config.php encryption salts after changing passwords to force any logged in users to re-login.
Actually that sounds like good advice.
Make sense... Will do it just in case...
THANK YOU Wordfence! If it had not been for using your plugin and getting your security email updates I would NOT have known about this Heartbleed security issue. We were vulnerable and I only knew that because of this blog NOT because of our hosting provider BlueHost (a pox on their house!). I had to call them and have them run me through a series of scripts to fix this. You would think that they would be issuing warnings and updated this stuff automatically, especially when we're paying for VPS. We will be moving our sites from this provider.
Thank you so much for be on top of these issues!
You're welcome. Remember that this bug is very very new, and hosting providers are SCRAMBLING to get this fixed, so please don't be too hard on them. They all have the best of intentions. You may find that many other hosts are in the same boat.