Very recently there has been a lot of trouble in the WordPress world.  If your WP website has mysteriously broken, is displaying errors, or is missing content such as sliders, forms, and components then you should read on.

The first issue revolves around a large array of WordPress plugins that are commonly and widely used.  These plugins are considered trusted plugins with a long history of safety and security.  They are some of the most useful plugins to date.

The problem is that some of the code that was used in the development of WordPress and these plugins has been exposed to a serious XSS vulnerability.  This issue is caused by misuse of code by the developers of WordPress and third party plugins.

  1. Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

We just recently experienced one of these attacks on a client’s website.  The attacker hacked in to these vulnerable plugins and was able to inject or upload malicious files to the server.  The files then replicated themselves and were used to generate thousands of spam emails that were sent from their server.  This, in turn, caused a huge mess of problems.  The email server was flooded and suspended with over 30,000 emails in the que.  Their ip address and domain was almost immediately flagged by Google and other registries as a known spammer.  Their website was also listed in Google as “hacked”.  This meant that all emails the client was trying to send were not getting to anyone.

The solution was to immediately shut down the site and email server so that we could go in and clean up the infected files.  WordPress and all vulnerable plugins had to be updated.  The email que had to be wiped clean.  Then the web host had to submit a request to remove the ip and domain from the spam blacklist.  Then the website and email had to be turned back on.

We highly recommend that all websites using WordPress immediately update all components and have their server checked for malicious files.

The list of problematic plugins is ever growing, but here are the most widely used and common that should be updated immediately.

The second problem that people are experiencing currently is a conflict between the latest Jetpack update and the WordPress update.  Many websites auto-update plugins and WordPress.  The timing of the Jetpack update release and the WordPress update release were not planned properly.  This cause conflicts between Jetpack and WordPress which broke many websites and caused a mass of problems.

If you need assistance with updating your plugins or fixing any of these related issues, please contact us right away.  This is an urgent matter that you should not wait to address.

To read more about this issue, here is what others are saying:

https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html

WordPress 4.0.1 Update Patches Critical XSS Vulnerability

Zero Day XSS Vulnerability in WordPress 4.2 Currently Being Patched