Hot on the heels of yesterday’s WordPress Security Alert for MainWP, we have another security alert for the popular WordPress SEO by Yoast.
This plugin has over 1 million active users, yet only around a quarter of those have installed the latest security update. Mark at Wordfence urges all users of WordPress SEO by Yoast to update immediately:
There is a vulnerability in WordPress SEO by Yoast. This is a CSRF vulnerability so is harder to exploit because it requires tricking an admin into loading a link from their own website where they’re logged in.
However it’s serious enough that we’re sending out an alert. Yoast has released a fix, so upgrade immediately. It’s worth noting that this is getting a lot of press, so awareness among hackers of this issue is spreading quickly. So please upgrade at your earliest convenience.
Side note: The actual vulnerability is an SQL injection attack, but it requires admin privileges so the actual vector is likely a CSRF attack exploiting the SQL injection vulnerability.
CSRF is Cross-Site Request Forgery vulnerability. We all know that we should keep WordPress admin logins to an absolute minimum, and:
- Login to your WordPress admin account only for admin purposes
- Perform the admin task immediately, and as quickly as possible
- Logout of WordPress admin account as soon as the admin task is finished
That is a great habit to acquire, and you can see many reasons why in Website Security: Admin Author Basics. This latest WordPress plugin vulnerability re-emphasizes the need to be very focused on security risks whenever logged in as administrator. Never be distracted by SEO, or anything else, when you are logged into a WordPress Administrator account.
For that reason, many of my secure WordPress hosting plans remove the need for you to ever act as WordPress administrator. I can perform all your WordPress administration tasks, allowing you to concentrate on growing and running your online business. I’m preparing new secure WordPress hosting plans for 2015. Make sure you don’t miss out on my Special Offers available later this year.
Signup to Shrewdies.com Updates Service to get news about my secure WordPress hosting plans.
Read more about Shrewdies Online Business Updates.
If you need secure WordPress hosting urgently, contact Keith Taylor today.