WordPress is a fantastic tool for website creation, development and is a fantastic content management system (CMS), millions upon millions of sites run WordPress; from backyard sale merchants to SME’s, even to worldwide corporations. This is why there was such a shock and outrage a few days ago when WordPress announced there was going to be a much-needed update that day to patch some basic flaws and also one major security flaw that had been over-looked; protection from certain SQL injection techniques. But what is an SQL injection? Why was this update overlooked? What does this mean for web design and development agencies providing your service (like ourselves)? … Well… luckily for you we have all the information on this matter and we’ll sum it up for you!
What was the “MAJOR vulnerability”?
In September 2017 there was an article from Hacker-One, a vulnerability coordination and bug bounty platform, stating they had found an exploitation point in WordPress’ current build. Anthony Ferrara, a leading technologist then posted this about the vulnerability: “Today, a significant SQL-Injection vulnerability was fixed in WordPress 4.8.3. Before reading further, if you haven’t updated yet stop right now and update.” This means that the vulnerability is in an area of WordPress that works against a hacking technique called an ‘SQL Injection’. According to Ferrera, the latest 4.8.3 security update does thankfully mitigate the problem, but reading his blog post about his interactions with WordPress’s security team you can feel his and many website owner’s frustrations, if you’re interested you can read his blog post here: https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-background.html
What is an SQL Injection?
SQL Injection is “a code injection technique that exploits a security vulnerability occurring in the database layer of an application”. In simpler words it’s some SQL code that is injected in, then disguised and treated, as user input inside a query. SQL Injections can manipulate data by deleting, adding and editing and corrupting tables of the database.
So… what would that do to my website, exactly?
Well, consider your website to be a big database, your pages are the fields and your content/ products are the records, much like an Access database you did when you were at school, only everything is written up and read from the server in a specific language, known as SQL. Hackers and the like who do an SQL attack are actually inputting a line (or lines) of this language into your database layer. Then, dependant of the exact code they’ve put in, will start to execute a program which will then begin to change, delete and/ or corrupt data within the database and by further extension cause damage to your website and its content.
Luckily WordPress have decided to patch this in the latest update which You can download the latest version of WordPress (4.83) from the WordPress website, or go to Dashboard > Updates on your admin and choose the option “update now”. Some WordPress sites will support automatic background updates which means they’ll be beginning to auto-update to the latest version. Automatic updates are not for everyone though, many site admins working in organisations are wary of rolling out new versions of software on their web servers before they have a had a chance to test that they won’t introduce other problems. Of course, this in turn means that they are still vulnerable to this SQL security flaw and potentially many other serious hacking problems.
You can call on The Code Den to provide you with excellent WordPress websites, seriously… we have years of experience in the web design and development industry. Our websites are always safe and created with our own templates and themes. Contact us today and get yourself ahead online safe and secure.