There has been a lot of press on the HeartBleed bug recently and it is scaring a lot of WordPress site owners/admins. Since we have a popular security plugin, we are getting a lot of questions about this. So, in this article I will explain what HeartBleed bug is and what you need to do on your WordPress site (if any).
The Heartbleed bug is a newly discovered vulnerability in the popular OpenSSL cryptographic software library. This library is used to encrypt web communication and used by many companies including Google, Yahoo, Facebook etc. This vulnerability allows stealing of information protected by the SSL/TLS encryption.
Here is how this bug works in an easy to understand language:
It allows the attacker to read 64K of memory from your server. The attacker can then retrieve information such as username, password, private key etc from that memory data.
You can read the full details of this vulnerability on the heartbleed site.
This vulnerability can have a lot of direct and indirect impact. However, the following is what you need to know as a WordPress site admin:
If your WordPress site doesn’t use HTTPS (meaning you never installed SSL certificate on your site) then you don’t have to worry about this vulnerability too much.
Majority of the WordPress users do not use HTTPS on their sites so a lot of you are probably relieved to know the above.
If you are using HTTPS on your site then you should do the following as soon as you can:
Contact your hosting provider and ask them if your server is affected (meaning it is using a vulnerable version of the Open SSL library). If your server is affected then request them to upgrade the software to fix this bug. Your hosting provider is likely to be working on this already so give them some time.
Contact your SSL/TLS certificate provider (in most cases this will be your hosting provider if you bought it through them) and request them to re-issue the certificate. You need to do this to ensure that the new public and private keys are issued to you. Otherwise, if the attacker did steal the private key then he/she can decrypt the data using that key even after you have upgraded the software.
Change your account password (if you haven’t done so already). If you are running a membership site (where other users create user accounts on your site), you should contact your users and request them to change their passwords.
It is important to understand that you do this step after you have done steps 1 and 2. Until the SSL certificate is replaced, any new passwords are in the same danger of being stolen as the old password.
I hope the above info helps you take action on your WordPress site. Please leave a comment below if I have missed anything.