Please Update This WordPress Plugin to Prevent Site Hacking Attack
I use WordPress to power my little corner of the web, and I confess I was lazy to update my various plugins and themes. I have a fairly simple site, so it never crossed my mind. However, I highly recommend that you visit your WordPress site right now and update whatever needs to be done, especially if you are using a certain plugin from ThemeGrill that is highly vulnerable if not fixed.
According to a recent WebARX report, the ThemeGrill Demo Importer plugin for WordPress – with over 200,000 installations at the time of this article’s publication, but that figure is rapidly disappearing – has a vulnerability in any version from 1.3.4 to 1.6.1. … If a WordPress user installs and activates the ThemeGrill theme for their blog and has a default ‘admin’ user account present in their WordPress installation, an attacker could exploit the vulnerability to ‘erase the entire database to its default state, after which they are automatically logged into system as an administrator “.
As WebARX writes:
“This is a serious vulnerability that can cause significant damage. Since it does not require a suspicious-looking payload, like our previous result in InfiniteWP, it is not expected that any firewall will block this by default, and a special rule needs to be created to block this vulnerability. “
You will want to update your ThemeGrill Demo Importer plugin as soon as possible to version 1.6.2 at a minimum, which should be easy enough to do from the plugin page of your WordPress installation. It is impossible to miss that you have pending updates because the back end of your site will look like this:
It’s time to start using auto-update
If you are like me and were surprised by the number of pending updates, or you really want to make sure you get all your plugin updates as soon as they appear, which is a great security practice – I recommend taking an additional plugin to manage your plugin updates. Insert a plugin like Companion Auto-Update into your WordPress installation and it will automatically make sure that everything related to your WordPress (even its core files) always works with its most recent version.
By default, Companion Auto-Update will automatically update your plugins, themes, translation files and minor WordPress updates; you can also install major updates if you don’t have any compatibility issues. To check again if this plugin is doing its job, you can even ask it to send you an email when it updates something on your site.
While the chances are slim that you are using the aforementioned ThemeGrill demo import tool on your own site, I think this vulnerability is a great excuse to take a few minutes and make sure you configure your site for automatic updates. This way, if a vulnerability is ever found in a plugin that you actually use, you will receive all the necessary fixes as soon as they appear.
And while you are doing that, stop using the default admin account in WordPress as well.