Serious security vulnerability in Social Warfare plugin for WordPress.

Avoca Web Design mountains image small

Yesterday a serious security issue was discovered in the popular social sharing plugin, Social Warfare. It allowed the attackers to redirect pages using the plugin to malicious and unsavoury websites.

Versions of this plugin prior to 3.5.3, allow malicious eval() code to be inserted into the wp_options table and causes redirects to pornography or other malicious websites.

It was particularly serious as it was what is known as a “zero day” exploit. This means it was actively being exploited by the bad guys with no fix immediately available from the plugin developers. There was a window of several hours where all websites using the plugin were vulnerable to attack without taking action to disable the plugin before a fix was publicly available.

We acted very quickly (10 minutes from discovery to complete mitigation of the issue) to prevent this affecting our clients managed websites. We thought you might like a glimpse of what that process looked like.

~10 minute, complete mitigation time for our managed care clients with Kinsta’s help

We have a handful of managed websites that were using this plugin and therefore vulnerable to the exploit. We are always monitoring both our websites and various security channels to stay aware of issues like this. As soon as we became aware of this vulnerability we sprung into action.

With the help of the fine folks at Kinsta, we had this mitigated for our managed sites that used it within around 10 minutes of becoming aware of the issue yesterday morning. At 11:58am we became aware of the issue, by 12:09pm we had it completely taken care of for all our managed websites.

Here’s what that process looked like

  1. We disabled the plugin on all sites at once with one click in our management tool. This meant that not only would our sites not be able to be targeted by the attack but the nature of the vulnerability meant that if they had been compromised the hack would not work and sites were safe. This step was actioned within 5 minutes of the issues discovery.
  2. Worked with the Kinsta team to quickly review all the sites with the plugin to make sure that the database was clean from malicious code. This step was completed within 10 minutes. Hats off to the speedy response from the support team at Kinsta, who once again demonstrated why they are the best in the business at what they do.
  3. Replaced the Social Warfare plugin with another plugin that does the same job and configured correctly on some of the affected sites that really need the social sharing. We left it disabled on others where the functionality is less important.
  4. We upgraded the other sites to the fixed version of the Social Warfare plugin (3.5.3) as soon as it became available.

Does this mean that WordPress is insecure? Should I panic?

No it doesn’t.

There will always be bad people in the world, trying to exploit weaknesses. From time to time a vulnerability will be discovered. This is not unique to WordPress, large companies such as Apple and Facebook also have issues from time to time.

It’s more important how the platforms respond to these vulnerabilities. WordPress actually has quite good security practices and there are good channels of communication that release information on potential issues very quickly.

The most important thing is that your website stays up to date, that you run timely updates for both WordPress and any plugins or themes your website uses. Here’s what our hosting partner, Kinsta, has to say about the state of WordPress security.

You should really using managed WordPress hosting with a website care plan, if you’re not already

Security events like this a great reason to use managed WordPress hosting with a website care plan. By doing that, you are partnering with an expert WordPress management team that stays current with the latest security threats and regularly updates your website to ensure that it is as safe as possible.

We also run nightly backups so that even in the worse case scenario, where you get hacked, we can restore the site to it’s clean, safe state very quickly.

You might think that all web hosting should provide these services. However, that’s not actually the case.

Cheap shared web hosts won’t actively update your website or plugins. They might be taking backups or they might not. There is no guarantee they’ll be able to roll your site back to a good, hack free state. You’re on your own as far as resolving these issues or maintaining your website most of the time. The only way they can provide you hosting at such a low price is to limit the ongoing work they do to help you out.

Managed WordPress hosts are a definite step up and they will have backups and will act to protect sites from widespread security vulnerabilities such as this one. They will also upgrade WordPress and make sure it’s up to date.

It’s worth noting though, that even Managed WordPress hosts don’t normally update plugins or themes. This is because themes and plugins are tied directly to the functionality of your website. Some plugins and themes need to be updated with care to make sure that your site continues to work well and managed hosts don’t have the resources to do this for each and every client. To give you an idea of the amount of update work involved, we manage over 1500 plugin updates a month on our 100+ managed websites. As the security and functionality of websites evolves, these updates become more frequent.

Managed Website Care for WordPress combines managed WordPress hosting with updating and website management services. This is what you should choose to ensure that you never have to worry about these issues. We’ll look after your website like we do our own. We stay on top of the security issues like this to ensure that you don’t have to. Combined with the power of a managed hosting team like Kinsta you get a premium website care and hosting experience.

When you choose Managed website care, you’re getting peace of mind as well as lighting fast load times.

Brendyn Montgomery

Brendyn is the manager of Avoca Web Design, a keen trail runner and an accomplished and award winning musician.

Related Posts