Version 1.4.6 of the PageLines theme and version 1.4.4 of the Platform theme were released three days ago and contain fixes for very serious vulnerabilities. If you use either one of these WordPress themes on your website, update it now.
You can update your themes by logging into your WordPress site and browsing to Dashboard > Updates
. The menu will show the familiar red notification circle if there are updates you should make.
If you’re running out of date versions of PageLines or Platform then the updates page will say so and provide controls that allow you to download and update them.
Free versions of the themes can also be downloaded manually from their respective pages on the WordPress Themes Directory and the Pro versions can be downloaded from pagelines.com.
The Updates page will also show you if your versions of the core WordPress software, plugins and other themes are up to date. Whilst you’re there you should update any that aren’t.
It’s important to act quickly because the vulnerabilities are serious.
Older versions of the Platform theme contain a remote code execution bug that could allow any attacker to completely take over a website running the vulnerable theme.
Older versions of both Platform and PageLines contain a privilege escalation bug that could allow users with an account to turn themselves into an administrator with total control of a site.
Assuming that you trust the people who have accounts to your WordPress installation the privilege escalation bug is only a problem on sites that allow unknown users to register.
Unless your site needs to allow unknown users to register it’s a good idea to turn that feature off too, which you can do by logging in to WordPress and browsing to Settings > General
and making sure the ‘Anyone can register’ box is unticked.
It’s important to update your sites quickly because of the sheer number of WordPress installations. Both these themes are reasonably popular, with over half a million downloads each.
Criminals are looking to create and make money from botnets (networks of thousands of compromised ‘zombie’ computers) which can be used to spread and control malware; can be resold as proxies; and can send millions of spam messages every week.
If an attacker can take over tens of thousands of websites by repeatedly looking for and exploiting a single vulnerability then they will.
And of course they won’t be checking websites manually – they’ll write scanners or malware ‘worms’ to seek them out, which means that vulnerabilities can be exploited extremely quickly.
The speed with which attackers can operate against large numbers of website Content Management Systems (CMSs) must now be measured in hours.
In October 2014 this was illustrated in rather stark terms by the maintainers of Drupal, the world’s second most popular CMS.
A critical patch for the core Drupal software was released on 15 October 2014, alerting Drupal users that they needed to act and patch their software but, inevitably, also tipping off potential attackers.
The first attacks began within a few hours.
On 29 October, fourteen days later, Drupal’s maintainers released a second announcement with this blunt message (my emphasis):
You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.
Too bad if you were asleep when the announcement came out.
WordPress is the most popular Content Management System in the world and powers around 15 to 20% of all websites.
The only WordPress sites vulnerable to these bugs are those running PageLines or Platform, which is a tiny fraction of the total of a few hundred million, but is probably still enough to create a sizable botnet capable of inflicting serious harm.
No software is perfect but WordPress’s recent security record is actually pretty good and, unlike Drupal, the core software is protected by an updater that can deploy security patches automatically.
Part of its success is down to how easy it is to extend and there are tens of thousands of free or low cost themes and plugins that can be used to extend and reskin it.
Those themes and plugins are entirely separate pieces of software created by third parties with their own development, testing and security processes.
Theme developers don’t necessarily have inferior security processes to those used by developers working on the WordPress core but they are separate and that means you need to deal with each theme and plugin on its own merits.
Perhaps most crucially the plugins and themes that make WordPress so useful aren’t yet under the protective umbrella of the automatic updater.
If you’d like to know more about protecting WordPress read our article about How to avoid being one of the “73%” of WordPress sites vulnerable to attack.