Welcome back to the Patchstack Weekly security update! This update is for week 14 of 2022 and I will talk about the first 5 steps to a secure WordPress.
This week has a lot of vulnerability news to cover, and I will be sharing it as a 3-2-1 punch of 3 plugins that received no patch for security bugs, 2 premium plugins that patch critical security bugs, and 1 public exploit already being shared for a Local File Inclusion vulnerability.
In this week's knowledge share, I will talk about the first 5 steps of WordPress security. These steps are not the only steps you should take for security, they are the steps you should be taking when you are first setting up a WordPress website from scratch, to ensure it is secure from day 1. I will add a bonus step for bare basic security maintenance.
Please be on the lookout for the following plugins, each is affected by an unauthenticated SQL Injection vulnerability and unfortunately, none have received a public patch at this time.
The following premium plugins have patched high severity (CVSS 9.8) security bugs in their projects recently. Users will need to make sure they have applied the patch made available ASAP, since these are premium plugins you may need to manually update the plugin.
Which could mean you need to check if the plugin has an auto-update button to click, if not, then you will need to download the updated software from the vendor, upload it to your site yourself, and replace the old version of the plugin with the new one.
The Cab Fare Calculator plugin developers patched an unauthenticated local file inclusion vulnerability which users should update as soon as possible.
There is public proof of concepts already published for this vulnerability, which requires no authentication to perform … the silver lining is: that it has restrictions where only files ending in .php that exist in the local filesystem will be included.
This is basically a short version of your WordPress security starter pack.
Now you can run the installation script, and when you choose your first admin user's password you will be sending it over encrypted channels. And while you're choosing that password, that is the next point I will bring up!
Knowing if one of your WordPress websites is running components with known insecurities will help empower you to remove the vulnerabilities before they are exploited. This will also help you with the next step: which is something you will need to do regularly.
This will get you off to a great start running a secure WordPress website. Once you have your components updating, and user accounts locked down, it will be smooth sailing. But, there will be some occasional maintenance needed.
This brings me to the final point in this short article, what you should do every so often, monthly, quarterly, maybe yearly to help review and manage your site's security.
There is so much more you could talk about when it comes to WordPress site security, but this list is a great start.
It is helpful to talk with your webmaster or hosting provider about security, it will help you understand what they do and what you are responsible for. You may be surprised how much security your hosting provider or webmaster may already be doing for you.
A growing list of hosting providers has partnered with Patchstack. GridPane, Cloudways, Plesk, Pagely, and more use Patchstack's WordPress vulnerability intelligence to power their customer's WordPress website security.
If your hosting provider is not a Patchstack partner, you can always use the free Patchstack WordPress plugin for notifications and maybe mention to your hosting provider that they should partner with Patchstack for vulnerability intelligence. It never hurts to ask.
A special thank you to the Patchstack Alliance team members, who are working hard to find, report, and communicate security bugs for the WordPress ecosystem.
I will be back next week with more security tips, tricks, opinions, and news on the Patchstack Weekly security update!