From the support desk: Keeping sites protected with auto updates

Our WordPress Hosting comes with automatic updates, not just for WordPress core but also plugins that use the standard WordPress update system. This means that when a security vulnerability occurs in a plugin and the author releases an update, you don’t have to do anything and automatically gain the benefits of being on the latest version.

An example of how important auto-updates are for our users is a recent vulnerability in Simple 301 Redirects Addon Bulk Uploader. This plugin, an add-on to the very popular Simple 301 Redirects, allows clients to upload a CSV file with details of their redirects. 

Unfortunately, the plugin had an issue where anyone could upload a CSV file and it would be processed. This means a bad actor could upload a CSV containing malicious redirects, sending site visitors users to malware or other unsavoury sites.

The flaw was found in late July and the developers of the plugin quickly patched and released a new version. On August 10th the vulnerability was made public. This delay is part of what is known as responsible disclosure: The finder of the issue waited until the plugin was patched to release details.

In the meantime our Managed Hosting auto-updated to the latest version. Someone looking closely at the plugin’s changes might have noticed the reason for the update, but otherwise things carried on as normal. It was just an entry in your WordPress updates log.

The post announcing the vulnerability was published on Saturday and by Monday morning there were reports on Twitter and in the UK WP Community Slack that sites were being affected across the internet. 

Whenever we hear of a vulnerability, our WordPress team’s first job is to evaluate it; how bad is it, will it affect our clients, is it difficult to exploit?

Our next step is to protect our clients, in this case adding firewall rules, though this can be complicated as CSV uploads might be genuine, we simply don’t know if the user should be authenticated. We could build something in, but this is a band-aid and the real solution is to get everyone on to the latest version as quickly as possible.

Internally we have tooling built by our most recent WordPress support specialist Dan to search across all sites on our platform and let us know if a particular plugin is installed, if it’s active, and its version. Looking across our sites, all but 1 was is on the latest (patched and secure) version.

One of our specialists checked the site not on the latest version, and sure enough it had been hacked. We quickly contacted the client and began cleaning up. An investigation showed that the site had switched auto-update off for fear of the site breaking.

For the updated sites, we used wp-cli to quickly check the 301_redirects option and make sure there was nothing inappropriate in the array. Happily none of the sites had been exploited before they were updated.

For all but one of our clients, nothing happened today and they just got on with their day as normal. For our team, we had an hour’s flurry of activity before getting back to our normal day. For one of our clients, one of our WordPress support specialists is helping to get their site back up and running. We will be encouraging them to enable auto-updates on their site in future.

Auto-updating is a standard feature of our WordPress Hosting. By default we automatically update WordPress core and plugins that use the default WordPress system, ie. anything from but also popular premium plugins like Gravity Forms.