Project Inquiry

    The more information you provide, the better we’ll understand your project and find the right solutions for you. If you want to share a document or talk to a live person, email us at hello@gravitatedesign.com or give us a call at 888.217.9502. Talk to you soon!

    • This field is for validation purposes and should be left unchanged.

    Tech news feeds have been on fire these past 24 hours, after a major vulnerability was found that could take down WordPress and Drupal sites.

    Big deal factor: WordPress alone powers 23% of the entire Web!

    Both CMSs have already issued patches for their applications. However, if you haven’t updated to the latest version, or if WordPress hasn’t done it automatically, then you should probably do it now.

    Go ahead, I’ll wait…

    If you’re like us and many others, you might have a customized WordPress installation, complicated plugin arrangements, or many simultaneous WordPress sites that make updating a difficult and dangerous process.

    This requires more TLC than simply updating to the latest version.

    The vulnerability exists with a file called XMLRPC.php, which both CMSs use for remote posting (e.g. pingbacks, trackbacks, etc.). Most custom WordPress sites do not utilize this tool. Therefore, for most sites, a quick and relatively foolproof solution is simply to block the file outright by modifying your .htaccess file with the following code.

    <Files xmlrpc.php>
        Order Deny,Allow
        Deny from all
    </Files>

     I live under a rock, what happened?!

    If you haven’t already heard what’s happening, WordPress versions 3.5–3.9 and Drupal versions 6.x–7.x were discovered to have an XML vulnerability that uses a well-known XML Quadratic Blowup Attack. This type of issue could take down entire websites almost immediately.

    The issue seems to be under control and well communicated via social media and the blogosphere. Just make sure you’ve updated and implemented our alternative solution for those trickier situations.

    Have you had any abnormal experiences due to this vulnerability? Was your site hurt or taken down? Share your story in the comments; we’d love to chat more.