Scary post title right? Well, I wish it was link bait, but it’s not. This is really serious.
Yesterday, it was announced that there was a critical security vulnerability with versions 3.0 to 3.9.2 of WordPress.
Here’s a video showing how easy it is to exploit the vulnerability:
In the video, I just redirected the page to Google’s home page. Any vistor trying to access that page is going to end up at Google. I could have done stuff that’s a whole lot worse than that, but that’s bad enough…
Now, this didn’t affect verison 4.0 (although there were some other fixes for that). Websites using 3.9.*, 3.8.* and 3.7.* should have been updated automatically to a secure version by now (asuming automatic updates are turned on). However, versions 3.0 to 3.6.1 are unsupported, so there is no update for those versions.
Well that’s not so bad you’re thinking. Can’t be many people using those old versions.
Look at it. Now look at it again. Right… so more than half the WordPress sites out there are on 3.6 or older. More than half of all existing WordPress sites are vulnerable. That’s roughly 12% of the web. I said this was really serious.
This just goes to show how important the Automatic Update functionality is. I was originally a skeptic, but I now consider it one of the most important features ever added to WordPress. Thanks to the devs who did the hard work to implement it (looking at you Dion)!
Unfortunately, there are still a bucket load of sites out there just waiting to be exploited. We can’t have more than half of all WordPress sites just sitting out there as timebombs. I don’t think this is one we can let pass quietly. We need to spread the word and get people to update their old sites. Everyone should be on 4.0.1.
If you have any old sites out there, make sure they are updated! If you have clients or friends who might have old sites, get them to update!
Does anyone out there have any contacts at Google? They send out emails to Webmaster Tools users telling them to update WordPress. Perahaps they could send a special email given how serious this and how widespread this is.
Does anyone have any other ideas?