Wordfence Plugin: Saving the Internet One Security Flaw at a Time

On the second of September this year, without most of the world knowing, one of the most significant threats to internet security was discovered. While business continued as most for most, the good folks over at Wordfence uncovered a major security flaw that had the potential to throw a significant portion of the internet into complete disarray.

Five days after the Wordfence security plugin identified the vulnerability, a solution was issued to tackle the problem immediately. By the 21st of September, threats were no longer present to sites and the investigation was concluded.

Only recently this information has been disclosed, but consumers want to know how they can protect themselves against a similar attack.

For our clients reading this – don’t sweat it. Sites built on WordPress with Excite Media, are safe and sound. Our sites are built using the Wordfence plugin to make sure your site security is as defensible as possible.

How the Internet was almost shut down

As we said, logging of the potential security flaw occurred at the beginning of Septemeber by a WordPress plugin, called Wordfence. Wordfence is a tool installed on WordPress websites that provides cyber security to users. Wordfence limits bot traffic and disables suspicious attempts to hack into or login to websites with the plugin installed. At Excite Media, we utilise Wordfence widely to protect our clients’ sites.

“They found a weakness in WordPress’ auto-update function that an attacker could have taken advantage of and with a single hack, brought down over a quarter of the Internet.”

At the time of discovering the security flaw, according to their blog, Wordfence was trawling through other third-party WordPress plugins for security vulnerabilities. They found a weakness in WordPress’ auto-update function that an attacker could have taken advantage of and with a single hack, brought down over a quarter of the Internet. 

The simple guide to what Wordfence found

Within a WordPress website, the server api.wordpress.org issues automatic updates. Regular checking of this server is undertaken by each WordPress installation. This process checks for any new updates to plugins, themes or WordPress, more broadly. If updates need to happen, then the server will notify the user and provides a URL to install the new software. Here’s it explained in picture form: 

All of this sounds like a simple and manageable system until you propose the idea that a different URL is provided to users to accompany update notices – a URL which leads webmasters and site managers to a location that once accessed exposes the security flaws of their own site.

An attack could occur on potentially all WordPress sites with a single hack, simply by providing a URL that threatens the site. Not only this, but WordPress trusts any URL that is entered, with no verification needed which makes compromising that security that much easier. Needless to say, the WordPress development team will be working hard to make sure this doesn’t happen again.

So, the internet was saved, right?

Short answer: yes. No hacking had occurred at the time Wordfence sent a confidential notification letting WordPress know of the potential breach in their security. But, alarm bells should be ringing for something so critical to be at risk.

Should hackers identify another crucial security flaw in the WordPress system, they could easily dismantle all WordPress sites, which now have a market share of 27% of websites internationally. Wordfence writes about the disastrous impacts that having a security fault such as this could have. 

“A failure of this magnitude would be catastrophic for the Web,” Wordfence writes. “Furthermore, it would provide a massive attack platform for the attacker, who would control millions of web hosting accounts from which they could launch further attacks.”

Is my site at risk?

Even though Wordfence has worked incredibly hard to prevent such an attack occurring on this server, it doesn’t mean something of a similar nature couldn’t happen in the future. For Excite Media clients, we have guaranteed their protection by using Wordfence on sites developed by us.

Our Technical Director, Scott Maynard, also provides assurance that if such an attack would occur all Excite Media websites are completely backed up.

“If that happens then the only thing that will save us is rock solid backups. So, it’s a good reminder to make sure we always have backups in place!”