HeartBleed: Serious as a Heart Attack
At Whispering Woods, we specialize in WordPress web sites. So when we hear news that affects WordPress websites, we want to let our customers know about it. The HeartBleed OpenSSL bug is that kind of news.
On April 7, 2014, a major vulnerability was uncovered in the OpenSSL library. OpenSSL is what most websites use to allow their visitors to connect securely and encrypt their data. The bug has been dubbed HeartBleed. How serious is it? Serious as a bleeding heart. On a scale of 1 to 10, this is an 11.
The HeartBleed bug allows attackers to read up to 64k of memory on the web server. That means an attacker can read your server’s memory and pluck out usernames, passwords, and the secret keys of your SSL encryption to crack secure communications and access other sensitive information.
What does this mean to me?
If you do not run a WordPress site that uses HTTPS (which lets your users connect securely using their web browser) then you don’t have to worry about this. You can test your site by running the HeartBleed Test.
However, If you do have HTTPS enabled on your WordPress site, you need to respond to this threat immediately. Here is what you need to do about HeartBleed as a WordPress site owner running on a third-party shared web host using HTTPS:
Check with your WordPress hosting provider to find out 2 things:
- Were they vulnerable to HeartBleed?
- Have they fixed it?
If your WordPress hosting provider was vulnerable to HeartBleed then you need to ask them if they have revoked and reissued their SSL/TLS site certificates. The reason they need to do this is because the SSL/TLS private keys for your site may have been read from server memory and compromised.
If your WordPress hosting provider was vulnerable to HeartBleed, then you need to change all admin passwords on your site, because your server memory was temporarily readable and an attacker may have read passwords from it.
If you run your own WordPress site and have access to the operating system, then you should see the official HeartBleed vulnerability announcement on openssl.org.
Please give us a call at 434-882-7638 if you have any concerns or questions about the security of your website.