You may have read about the recently discovered security vulnerabilities in two WordPress plugins - YellowPencil Visual Theme Customizer and Yuzo Related Posts. Both vulnerabilities have been publicly disclosed and are currently being widely exploited. If you are hosted by ICDSoft, you are protected, but we still recommend that you check the tips at the end of the article. If not, or if you want to know more on these vulnerabilities, you can find details at:
https://blog.sucuri.net/2019/04/attacks-on-closed-wordpress-plugins.html
https://www.pluginvulnerabilities.com/2019/04/09/recently-closed-visual-css-style-editor-wordpress-plugin-contains-privilege-escalation-vulnerability-that-leads-to-option-update-vulnerability/
At the time of publishing this post, both plugins are with status "closed" at WordPress.org:
https://wordpress.org/plugins/yuzo-related-post/
https://wordpress.org/plugins/yellow-pencil-visual-theme-customizer/
The developer of Yuzo Related Posts recommends that you remove the plugin and states that a new version will be released in the future.
A new version of YellowPencil was just made available on their web site. However, as the plugin is with status "closed", you cannot install the updated version via your WordPress Dashboard. Should you decide to continue using the plugin, and you are not hosted by ICDSoft, you can patch the plugin manually.
If you are hosted elsewhere, and you intend to continue using these plugins, there are third-party web security services and plugins that can protect you against these particular attacks. If using such a plugin, be sure that it is updated to the current version.
In case you are using our web hosting services, you are protected on the server level. When we detected that these plugins were targeted by hackers, we added Apache ModSecurity rules that prevent future attacks.
Of course, it would be best not to just rely on your web hosting provider to keep you protected. You should take steps to harden the security of your site, if you have not done so already. We would like to remind everyone of the following important recommendations that will help you prevent the hacking of your WordPress installation. They are also valid for any other popular software package that you may run (such as Joomla, Drupal, Opencart, etc.):
- Always keep your software updated. You must not only update your core software version (e.g. your WordPress version); you need to update your active plugins and themes as well.
- Keep only plugins that you need. Remove any plugins that you no longer actively use. This will reduce the risk of getting hacked via a known vulnerability in a plugin which you once used or just tested.
- Do not use software that is discontinued. Software packages that are no longer supported by their developers must be avoided as there will be no one to take care of securing them once a vulnerability is found.