WordPress Plugin Vulnerability Alert: All-In-One WP Migration, 5+ Million Websites Affected

Written By Jessica Bull

Wordfence, a WordPress security service provider that regularly releases details on WordPress plugins, has released a new report on a widely used WordPress plugin. The All-in-One WP Migration plugin, specifically versions up to 7.89, contained a critical vulnerability: an unauthenticated PHP object injection. This means that an attacker, without needing to log in to the WordPress site, could send specially crafted requests to the website. These requests could then execute arbitrary PHP code on the server.

But, if none of those words made sense to you, here’s the breakdown:

  • An attacker could remotely force the website to run code they choose.

  • This could lead to complete control of the website, including:

    • Stealing sensitive data.

    • Installing malware.

    • Taking the website offline.

What To Do: Update Your Plugin

Happily, the developers of All-in-One WP Migration have already fixed the problem in their most recent patch. This means that all you have to do is go into your WordPress Dashboard > Plugins, then find All-in-One WP Migration in the list. From there, if an update is available you can click Update. If you haven’t already, I always recommend enabling auto-updates (button is on the right side of your plugin list) for security reason (like this one).

Are you still actively using All-in-One WP Migration? If not, delete it completely to avoid any future, undiscovered vulnerabilities! In fact, I always recommend cleaning out your WordPress site from unused plugins at least every 6 months.

How To Prevent Vulnerabilities: WordPress Security Best Practices

To prevent vulnerabilities in general, be sure you’re using basic WordPress security best practices in general. These include:

WordPress, Themes, & Plugins

  • Automatic Updates: Enable automatic updates for WordPress core, themes, and plugins. This ensures you have the latest security patches.

  • Regular Checks: Periodically check for updates manually, especially before major releases.

  • Remove Unused Items: Delete any themes or plugins you're not actively using. They can still pose security risks.

Passwords & User Management

  • Strong Passwords: Use complex, unique passwords for all user accounts, especially administrators. Consider a password manager.

  • Limit Administrator Accounts: Minimize the number of administrator accounts.

  • Principle of Least Privilege: Grant users only the necessary permissions.

  • Two-Factor Authentication (2FA): Enable 2FA for all user accounts, especially administrators.

  • Regular Password Changes: Enforce regular password changes.

  • Rename the "admin" User: If possible, rename the default "admin" username during setup.

Secure Hosting and Server Configuration

There are a great deal more best practices here, but if you’re using a WordPress managed hosting service, they are likely protecting your website with secure hosting and server configuration. If you’re self-hosting or you’re checking your configurations yourself, here are a few best practices:

  • Reputable Hosting Provider: Choose a hosting provider with a strong security track record.

  • SSL/TLS Certificate: Install an SSL/TLS certificate to encrypt data transmitted between the website and visitors.

  • Regular Backups: Implement regular, automated website backups. Store backups off-site.

  • Server-Side Security: Ensure your hosting provider keeps their server software up to date.

  • Disable Directory Indexing: Prevent unauthorized users from browsing your website's directories.

  • PHP Security: Ensure your PHP version is up-to-date and configure PHP settings for security.

  • Strong Database Password: Use a strong, unique password for your database.

  • Database Prefix: Change the default database prefix (wp_) to something more secure.

  • Regular Database Backups: Include database backups in your regular backup routine.

  • Restrict File Permissions: Set appropriate file permissions to prevent unauthorized access.

  • Avoid 777 Permissions: Never use 777 file permissions, as they grant unrestricted access.

  • Vulnerability Scans: Perform regular vulnerability scans to identify potential weaknesses.

  • Security Testing: Conduct penetration testing to simulate real-world attacks.

  • Sanitize User Input: Sanitize all user input to prevent cross-site scripting (XSS) and SQL injection attacks.

  • Validate Data: Validate all data submitted through forms to ensure it meets expected criteria.

  • Restrict File Types: Limit the types of files users can upload to prevent malicious uploads.

  • File Size Limits: Set file size limits to prevent large uploads that could overload your server.

The internet is a wild place, and getting hacked is always a possibility, no matter how great your security is. Stay tuned (and subscribe if you haven’t already!) for our future article on What to Do After You’ve Been Hacked.

Jessica Bull https://www.joincalathea.com
Next

Don’t Sleep on Gen Z: Your Company’s Future Needs Them