On Christmas Day, Polish security researcher Dawid Golunski announced that he had uncovered a security vulnerability in PHPMailer, which is an open source mail application incorporated into WordPress, Drupal, Sugar CRM and numerous other website development platforms.
The vulnerability permits remote code execution (RCE), which is the worst-type of security flaw. RCE vulnerabilities permit a hacker to directly pass instructions to the server for immediate execution. In other words, they can take control of a website’s server without even logging in.
Needless to say, this announcement has generated a lot of concern among website owners. I want to assure our clients that we are monitoring the situation.
To date, there are no known cases where hackers have successfully exploited the vulnerability. The developers of PHPMailer have already released a patch. The WordPress Core team is working to incorporate this patch. We expect them to publish a security update to WordPress shortly.
Protection for Our Clients
Clients who are members of our Website Maintenance and Security Program have several levels of protection:
- The firewall we have installed on your website will be updated by WordFence in real-time as soon as any exploits as discovered.
- We have configured your website to automatically apply new security updates to the WordPress core as soon as they are released.
- Afterwards, we will verify that your website was properly updated and that your website is functioning properly.
- And, as we always do, we will ensure that security updates to all themes and plugins on your website are promptly applied.
Recommended Actions for Others
For non-members, we encourage you to install the free version of WordFence. While this is a great tool, please be aware that there is a one-month delay between the implementation of new firewall rules, meaning that for the first 30 days, your website is vulnerable.
In addition , we encourage you to be vigilant in preforming regular backups of your website and storing them offsite (somewhere other than your server). This way, if you do get hacked, you can quickly recover your website by restoring a recent backup.
Also, be sure to apply updates to WordPress core, all themes and plugins as soon as they are released. Remember, it’s wise to perform a backup immediately prior to implementing updates, just in in case something goes wrong. After all, while it is rare, updates to themes or plugins have been known to break websites.
Of course, you could simply join our Website Maintenance and Security Program, which lets you focus your time and energy on running your business while having confidence that we are doing all of these things for you.
If you are interested in joining, please contact us,