Wordpress- Jetpack Exploit
Read this in a WP group about an exploit in Jetpack plugin. Bottomline: if you use Jetpack plugin, upgrade to ver. 7.9.1 ASAP
Since many use / offer WP hosting thought it might be relevant to post here.
Adding the 'raw' source - removed all UTM information
https://www.bleepingcomputer.com/news/security/millions-of-sites-exposed-by-flaw-in-jetpack-wordpress-plugin/
Tagged:
Comments
Get hit with
sooner or later
Yes, but WP has lots of advantages and I think it is hard not to use it. I just wonder if such plugins that do so many things at one time is inherently more prone to exploits simply because small plugins that do just one thing well have much less code to deal with and it is much easier to see what can go wrong. Not saying small plugins ard better, but I think the probability of being able to catch problems early is higher.
Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Get expert copyediting and copywriting help at The Write Flow
I think it's just they are more often being targeted and are easier to detect. Small plugins might not even show up in the HTML code, or they might not interact with the user, so the attack surface is low.
If there is so much to exploit in the popular big plugins, why bother with niche plugins?
Security by obscurity. I prefer to handle a few specialised plugins instead of a fat one like Jetpack.
Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Get expert copyediting and copywriting help at The Write Flow
About WP security there was a discussion at the other place a few days back and I had summarised some of the points in a blog post.
I had several sites and sub domains connected via JP mainly so that I could write drafts on iAWriter—>schedule posts —>add meta tags, images etc via WP app on Mac and publish posts/ update sites etc.
Now I have changed the workflow so there is no need to have JP. It is slow and flaky - half the time sites disconnect for one reason or another.I think the key was finding the right tools (and people) to suit a new workflow. This incident provided the trigger.
Another learning: the updates were pushed first for paid versions of JP. Updates for JP Free version came a day or two later. I will be updating the post on my website shortly.
VPS reviews and benchmarks |