Tech news feeds have been on fire these past 24 hours, after a major vulnerability was found that could take down WordPress and Drupal sites.
Big deal factor: WordPress alone powers 23% of the entire Web!
Both CMSs have already issued patches for their applications. However, if you haven’t updated to the latest version, or if WordPress hasn’t done it automatically, then you should probably do it now.
Go ahead, I’ll wait…
If you’re like us and many others, you might have a customized WordPress installation, complicated plugin arrangements, or many simultaneous WordPress sites that make updating a difficult and dangerous process.
This requires more TLC than simply updating to the latest version.
The vulnerability exists with a file called XMLRPC.php, which both CMSs use for remote posting (e.g. pingbacks, trackbacks, etc.). Most custom WordPress sites do not utilize this tool. Therefore, for most sites, a quick and relatively foolproof solution is simply to block the file outright by modifying your .htaccess file with the following code.
<Files xmlrpc.php>Order Deny,AllowDeny from all</Files>
I live under a rock, what happened?!
If you haven’t already heard what’s happening, WordPress versions 3.5–3.9 and Drupal versions 6.x–7.x were discovered to have an XML vulnerability that uses a well-known XML Quadratic Blowup Attack. This type of issue could take down entire websites almost immediately.
The issue seems to be under control and well communicated via social media and the blogosphere. Just make sure you’ve updated and implemented our alternative solution for those trickier situations.
Have you had any abnormal experiences due to this vulnerability? Was your site hurt or taken down? Share your story in the comments; we’d love to chat more.