Our WordPress Hosting comes with automatic updates, not just for WordPress core but also plugins that use the standard WordPress update system. This means that when a security vulnerability occurs in a plugin and the author releases an update, you don’t have to do anything and automatically gain the benefits of being on the latest version.
An example of how important auto-updates are for our users is a recent vulnerability in Simple 301 Redirects Addon Bulk Uploader. This plugin, an add-on to the very popular Simple 301 Redirects, allows clients to upload a CSV file with details of their redirects.
Unfortunately, the plugin had an issue where anyone could upload a CSV file and it would be processed. This means a bad actor could upload a CSV containing malicious redirects, sending site visitors users to malware or other unsavoury sites.
The flaw was found in late July and the developers of the plugin quickly patched and released a new version. On August 10th the vulnerability was made public. This delay is part of what is known as responsible disclosure: The finder of the issue waited until the plugin was patched to release details.
In the meantime our Managed Hosting auto-updated to the latest version. Someone looking closely at the plugin’s changes might have noticed the reason for the update, but
The post announcing the vulnerability was published on Saturday and by Monday morning there were reports on Twitter and in the UK WP Community Slack that sites were being affected across the internet.
Whenever we hear of
Our next step is to protect our clients, in this case adding firewall rules, though this can be complicated as CSV uploads might be genuine, we simply don’t know if the user should be authenticated. We could build something in, but this is a band-aid and the real solution is to get everyone on to the latest version as quickly as possible.
Internally we have tooling built by our most recent WordPress support specialist Dan to search across all sites on our platform and let us know if a particular plugin is
One of our specialists checked the site
For the updated sites, we used wp-
For all but one of our clients, nothing happened today and they just got on with their day as normal. For our team, we had an hour’s flurry of activity before getting back to our normal day. For one of our clients, one of our WordPress support specialists is helping to get their site back up and running. We will be encouraging them to enable auto-updates on their site in future.
Auto-updating is a standard feature of our WordPress Hosting. By