Now that all the fuss has died down, I thought I would publish my thoughts on the recent Yoast WordPress SEO plugin security issues. As you may well have heard, a problem was found in the extremely popular and widely-used SEO plugin, which caused a great deal of concern amongst the IT community and WordPress users because it could have resulted in sites being hacked. The Yoast stable is arguably the most reputable in the industry, so it’s a salutary lesson that even the great and revered Yoast can make coding mistakes. Once the security issue was found, an update to the plugin was promptly released, and the moral of the story is update, update, update. In other words, if you do not update your WordPress version and your WordPress plugins on a regular basis then you only have yourself to blame if your site is hacked as a result.
What went well?
There are some gratifying elements to this story, notably:
- The chap who identified the vulnerability (Ryan Dewhurst at WPScan) discretely contacted the Yoast team and (crucially), waited for them to release an update before publishing details of the problem to the public. A great example of ethics in IT – thank you Ryan.
- The team at Yoast worked hard to issue a new release as quickly as possible whilst making sure that the problem was addressed.
- Where possible, wordpress.org agreed to automatically update plugins for people – an unusual occurrence.
Based on my experience of WordPress websites, I am willing to bet that there are thousands of people running WordPress sites with an out-of-date version of the Yoast WordPress SEO plugin, who are either oblivious to the problem or think that it won’t affect them. Thousands more probably have no idea that there site even has the Yoast SEO plugin installed on it, having “left that sort of thing” to their developer, or their website host.
Some IT developers and website hosts spent time discussing the problem on social media and posting blog articles about it, instead of getting on with updating their customers’ websites!
Now the problem has been identified, hackers will be aware of it and they will know exactly how to exploit it…
How do I know if I have the Yoast WordPress SEO plugin installed on my site?
- Go to your WordPress dashboard
- Click on plugins in the left hand menu
- If you see “WordPress SEO” in the list of plugins and if the details say it’s by “Team Yoast”, then you have this plugin.
- If it doesn’t say “Version 1.7.4” before “by Team Yoast”, then you need to update the plugin as a matter of urgency.
- Remember to back up your site FIRST.
- If you don’t know how to take a backup of your site or how to update a plugin, then speak to your web developer. Like changing the oil in your car’s engine, you either need to learn how to do it yourself or pay someone else to do it, but you do have to make sure it is done.
- Whilst you’re at it, check that you are running the latest version of WordPress. You can find out which version of WordPress you are running on your website by going to the main dashboard area and looking in the “at a glance” box at the top of the page. It should be 4.1.1. Anything else, and you are vulnerable to security issues, and you won’t be benefitting from all the latest WordPress functionality.
Anything else I need to know about updating plugins?
Be aware that if you are running very old versions of plugins and/or WordPress, then your site may break if you try to update everything. This is because it’s a bit like trying to install a Ferrari Formula 1 engine in a Reliant Robin. If you force it in, it might work, but then again the doors could fall off…
What else can I do to protect my WordPress site?
- Check your WordPress plugins on a very regular basis. The WordPress dashboard will tell you if updates are available.
- Backup your site and then update those plugins! Having out-of-date plugins on your website is like buying a car and never putting any new tyres on it.
- Alternatively, consider purchasing fully-managed hosting. If you choose fully-managed hosting, your website host should do all this for you. Most website hosting is not fully-managed, so most people are responsible for updating their own plugins.
- Outerbridge managed hosting takes care of all of this for you (and much more besides), and it’s available from £99+VAT per annum. A small price to pay for peace of mind…