Yesterday, on April 10th, a critical security flaw in the popular Jetpack plugin was made public in an official statement by the Jetpack developers. If the vulnerability was exploited, an attacker could publish new posts in any WordPress installation using Jetpack and possibly get even more access to that site. Although we did not detect any hacked sites through that exploit on our servers, that was a critical security hole and we took several actions to patch it.
Adding a Rule to Our Firewall System
Normally, some of the actions of the Jetpack plugin should be executable only through a finite number of IPs that are part of the Jetpack official network. The vulnerability allows other IPs to execute these actions too. That is why the first thing we did was to add an additional rule to our firewall that prevents non-Jetpack IPs to execute such actions.
Updating the Jetpack Plugin of Our Users
We have also updated most of the nearly 12 000 Jetpack plugins detected on our servers to the latest security version released by its developers and applicable for the version branch used. Email, informing about the issue and the update needed was also sent to all users whose Jetpack update was not under our control.