This week, a major vulnerability has been found in OpenSSL, a very widely-used open source library which allows users to securely connect to websites (at least, in theory). The bug has been commonly dubbed “HeartBleed,” as it targets a flaw in something called the TLS Heartbeat Extension of OpenSSL, which allows it to access data stored in a web server’s memory during a secure connection. Unfortunately, that memory can contain important and sensitive information, including usernames, passwords, critical documents and more, thus also allowing attackers access to your private data. Due to the nature of the vulnerability, the attackers most likely wouldn’t even leave any sign of unauthorized access. HeartBleed is already considered to be one of the worst security flaws in the history of the internet.
So how does it affect WordPress websites?
First, we need to bear in mind that only websites which use OpenSSL are vulnerable here. Generally, this includes just about any website where you have to log in with a username and password. Most websites with this functionality use some form of SSL, but the big exception here would be many WordPress websites which don’t deal with sensitive user data, but do have a log in form for administrative or commenting purposes.
If you run a WordPress website that doesn’t use HTTPS, you should be OK. If you’re not sure whether your site uses HTTPS, take a look at how your domain name appears in your web browser when you visit your site (or a secure page on your site, if it doesn’t use a blanket rule for the entire domain). If it starts with https, you could be in trouble. If it’s plain http, or nothing at all, you don’t need to be worried – about your own site, at least. Keep reading, though, because even if your site isn’t directly affected, it is very likely that HeartBleed affects you in an indirect way.
If your site does use SSL, you should contact your web host and find out if your specific version was vulnerable, and whether they have patched the security flaw. This is an important point: Until the security flaw has been patched on the server, there’s not much you can do on your website to rectify the situation. If you change a password or re-issue your security certificate before the vulnerability is closed, your new password or certificate will be vulnerable. Your host should also be able to tell you whether they’ve seen any signs of suspicious activity on the server, which, while not a guarantee of safety or trouble, could be a good indication either way.
Once the flaw has been successfully patched, you should alert the users of your site about the issue and recommend that they change their passwords. (Sidenote: If you’re a client of ours, our servers have been patched, but we do encourage you to change your passwords.) While many websites that don’t get a ton of traffic may not have been targeted at all, this is a case where it’s certainly better to be safe than sorry. As previously mentioned, it may be a good idea to re-issue the security certificate you were using.
How HeartBleed may affect you, even if your website isn’t vulnerable
If you have accounts on websites that use the compromised version of OpenSSL (here’s a hint: you do), you should make an effort to change your passwords right away, assuming that any given site has addressed the bug. Many major sites have already corrected the issue on their end, so by the time you read this, it is probably a safe bet that you can go ahead and change your passwords.
Some of the popular sites affected by this bug are Yahoo, OKCupid and Eventbrite, where usernames and passwords may have been exposed. However, if you reuse usernames or passwords (which is a bad idea in general) now is probably a good time to change your credentials across the board.
- More information on HeartBleed and WordPress
- A General Overview of HeartBleed
- Top 10,000 Most Popular Websites and their Vulnerability Status
- Technical information at OpenSSL.org for Server Administrators