WordPress Core and Plugin Update Needed (Updated)

wp-vulnerabilityfixed
Sucuri has recently announced the discovery of a XSS vulnerability that affects multiple plugins. At least 15 popular plugins are affected including Jetpack, WordPress SEO, Gravity Forms and more. At the time of the vulnerability disclosure the majority of the plugin authors have launched new versions of their plugins fixing the issues. The next day a security release (4.1.2) of the WordPress core itself was released.  It is reported to fix several security issues too.

Are SiteGround customers protected?

Due to the nature of the reported vulnerabilities, we can't use our WAF (web application firewall) system to block potential exploit requests on server level. The problem resides within very commonly used functions of the app and such filter would interrupt greatly the normal functionality of your sites. That is why the solution in this case is a quick update of WordPress AND all its plugins.

All SiteGround customers, who use the defaults setup of our autoupdater will have both their core and plugins automatically updated in the next few hours. If you have installed your WordPress via our 1-click installers and have not changed the autoupdate configuration you will have nothing to worry about. We will soon notify you via email and then update your WordPress core application alongside with all plugins that have new versions.

All SiteGround customers, who do not use our auto-updater, but had a WordPress version higher than 3.7 should have already received a core WordPress update pushed by WordPress itself. However, this update has not changed the versions of your plugins, so it is highly recommended that you update all used plugins manually as soon as possible.

Once our auto upgrade procedure is over, all WordPress accounts will be scanned and if we discover outdated and vulnerable plugins additional actions will be taken to secure them.

UPDATE: MAY 7TH 2015

Since the above reported plugin and WordPress core vulnerabilities, there have been two more WordPress core security releases (4.2.1 and 4.2.2). SiteGround AutoUpdater has been working as expected and is applying all new versions with the patches to both core and plugins.

To minimize the security risk further, we're enlisting WordPress installations transferred to us from another hosts to our AutoUpdater system (all installations made through our 1-click installers are already enlisted by default). Within the next 24 hours, all recently enlisted installs will receive notifications for the upcoming update.

Once again, we recommend to all our customers who have opted out from our AutoUpdater tool to update their WordPress applications manually as soon as possible.

Product Development - Technical

Enthusiastic about all Open Source applications you can think of, but mostly about WordPress. Add a pinch of love for web design, new technologies, search engine optimisation and you are pretty much there!

8 Comments

  1. Reply April 29, 2015 / 00:52 Jon SchroederSiteGround Team

    Thanks for the update; I'm glad you guys are putting stuff like this out. Just wondered why on the SiteGround site you aren't using permalinks. I'm surprised, given that you guys have a beautifully-crafted WordPress site.

    • Reply April 30, 2015 / 01:55 Hristo PandjarovSiteGround Team

      The siteground.com site itself is not powered by WordPress but is a pretty complex custom made solution. Certain parts, however, like this blog are working on WordPress and all of them have good permalink structure 🙂

  2. Reply May 2, 2015 / 16:19 viniSiteGround Team

    anyone use siteground managed wordpress
    how much physical memory and cpu we got from siteground managed wordpress go geeky

    • Reply May 7, 2015 / 04:11 Hristo PandjarovSiteGround Team

      Those plans are located in servers, shared in nature which means that all users on the machine share the same physical resources.

  3. Reply May 4, 2015 / 06:59 KatSiteGround Team

    As a new Siteground.com customer and new user of wordpress I am really impressed at the proactive approach and level of communication and action taken. I am in safe hands A+

  4. Reply June 30, 2015 / 03:15 Alex de BorbaSiteGround Team

    SiteGround AutoUpdater needs a remove option, so that we can delete installations, for instance when we move an installation under development from a sub-folder toward the root of our hosting.

    • Reply June 30, 2015 / 05:44 Hristo PandjarovSiteGround Team

      There is. Just select "Disable AutoUpdater" and click "Go".

  5. Reply June 30, 2015 / 12:56 SusanSiteGround Team

    I'm definitely late to the party on this (and this is only sort-of related to this post), but I just wanted to say a big THANK YOU to whoever is responsible for recent changes to the Softaculous auto-installer for WordPress: formerly, every install came with a big pile of themes that I never used and always had to just delete. Now it only installs the three most recent WordPress default themes. This is so much cleaner and easier for me!

    Cheers all.

Reply to Susan Cancel

* (Required)