You’ve heard of the recent Heart Bleed bug no doubt.
We all know that your WordPress website login should always be encrypted and secure via SSL (https://), right? If we login via https we think we were safe.
Unfortunately, the Heart Bleed bug brings unwelcome news for all of us. It’s a bug on the most widely used SSL encryption software on Linux and Unix based servers.
What Is the Heart Bleed Bug?
I’ll save you the complex and intricate technical details about on how the bug is exploited but here is a brief explanation of the flaw. In short, the Heart Bleed bug is a vulnerability that allows a TLS connection to exploit the Heartbeat extension of OpenSSL. A user can deliberately use a TLS connection seeking to exploit the bug and view up to 64 kilobytes of data at a time from the servers memory used for the OpenSSL heartbeat.
The OpenSSL software package was announced to be vulnerable on April 7, 2014. However, this software has had the vulernability since March 14, 2012.
What Does the Heart Bleed Bug Mean to You and Your Website?
Basically, any login to a website through SSL certificates generated with the now buggy OpenSSL software versions would have been exposed to the Heart Bleed bug vulnerability.
Before you run to change your website and account passwords. Stop, take a deep breath and consider this…
Your websites and account logins (if using a Linux or unix server) were most likely affected. However, the likelihood of a hacker exploiting the bug and finding your login information is not very high in most cases.
The possibility is low but enough to realistically worry whether any of your logins have been compromised and stored by a hacker somewhere in the web who may later use it. Unfortunately, there is no realistic way to find out.
If you do host your websites outside from TheWPValet and its partners, then please do take the appropriate measures indicated below to secure your logins and let us know if you need any further information or help. We will gladly assist you through the process. We will help all our customers get through this one!
TheWPValet customer systems and logins were not affected. Those accounts and logins remain secured with us and WPEngine.
I would like to point out that our partner WPEngine was not affected by the Heart Bleed bug because they were using OpenSSL version 0.9.8k all along. Big ups to WPEngine!
Now some of the grittier information…
For those of you who have not had the pleasure of hosting your websites with TheWPValet and WPEngine, your websites and account logins (if using a Linux or unix server) were likely affected.
What Actions You Should Take
So, in the name of best practice security for your websites and account logins, here is a step by step guide to appropriate actions to help mitigate the Heart Bleed bug effects:
1. Before you change any passwords, contact your Server Administrator or Web Host and ask them what they have done to mitigate the Heart Bleed bug. What they should have already done is update the OpenSSL software package with the security patch made available on April 7, revoke all certificates created with the OpenSSL software, and generate new certficates with the patched software. All certificates created with the vulnerable OpenSSL will need to be generated again with the patched software. This includes CSR’s and private keys for all your TLS certificates including SSL’s.
2. Bare in mind that you will need the actual web server IP address if you are using a CDN like cloudflare or load balancers. You can verify that the web server for any website has been patched by checking with these online tools:
3. If you have a CA (Certificate Authority) signed SSL, you will need to revoke it as well. Once you have verified that the sites webserver is no longer vulnerable, generate a new CSR and private key to request a re-issue of your SSL certificate from the CA company you bought the SSL from.
4. Once you have the new SSL certificate delivered, you must get that installed for your website.
5. Finally, update all login passwords.
Further Heart Bleed Bug Reading
Here are some useful articles worth reading on the subject.
All this may seem unnecessary to many of us since, after all, the odds of having a compromised login in a hackers hands is akin to winning the lottery.
Or is it?
Unfortunately the odds might also just be a small lottery win and not the Jackpot.
This post was written by Andre Brongniart – WP Valet Systems Engineer