news: WordPress Security Updates & What You Need to Know
February 8, 2022

WordPress Security Updates & What You Need to Know

The Importance of Cybersecurity 

Normally, scoring an 8 out of 10 isn’t bad. That’s an A or an A- by most academic standards. 

Unfortunately, when the United States Government National Vulnerability Database starts awarding your software 8.8s and even 9.8s for critical exploitable vulnerability, that isn’t the case. 

Such was WordPress’s unfortunate example early in January when an outsider discovered a series of potentially devastating flaws in the WordPress core itself. These oversights – if left alone – might have led to millions of users having their private information stolen. 

Thankfully, WordPress has since announced that they have patched the vulnerabilities, and you can rest assured that our digital team has already updated and safeguarded our WordPress developments, too. But the affair highlights the importance of a thorough process and having the right cybersecurity in place. Let’s start from the beginning. 


What Is WordPress?  

WordPress is an open-source content management system used in the construction of websites. Evolving out of a blog publishing system, WordPress now supports other web content types such as mailing lists, forums, media galleries, membership sites, learning management systems, and online stores. Because of its plugin architecture and template system, WordPress is extremely flexible and easy to use, which has led to widespread popularity. As of October 2021, a massive 42.8% of the top ten million websites use WordPress in some capacity

Given its versatility, WJ’s digital team uses WordPress frequently. To date, we have delivered over 40 websites to satisfied clients based around the WordPress framework – Energy Resourcing, the Central Alberta Child Advocacy Centre, and STARS Air Ambulance among them. 


What Happened With WordPress?

Four main issues were discovered in the WordPress core: 

  • SQL Injection due to improper sanitization in WP_Meta_Query 
  • SQL Injection through WP_Query or plugins or themes used in certain ways 
  • Authenticated Object Injection in Multisites 
  • Stored XSS through authenticated users 

If you didn’t understand that, that’s okay – chances are you aren’t a digital developer. Fortunately, we happen to have a skilled team of devs on hand at WJ, including our Director of Digital and Technology Jason Kessler. He translated the above: 

“SQL stands for Structured Query Language. This basically means it is used to query data contained in a database. While it has many more uses, for the everyday user it would mostly concern a username and password. SQL injection is a method of taking SQL and using it to maliciously attack a website in an attempt to tamper with data, spoof identities, or steal information. Normally, SQL is completely deleted to prevent this from happening, but the WordPress core was discovered to be improperly sanitizing its records. To the right parties, this essentially left the keys in the ignition to millions of websites.” 

So, hackers could have potentially had access to immense amounts of data stored within websites using WordPress databases – personal information, financial details, medical records, browsing habits, you name it.  



What Caused the Problem?

Like any digital developer, the people behind WordPress try to keep to a steady release schedule. Version 5.9 of WordPress was scheduled for release in 2021. There was great expectation surrounding the release, as 5.9 promised to allow users full site block editing capabilities. This would essentially allow complete customization of every aspect of a website, something WordPress’s template-based system had previously been criticized for. 

However, the team ran into problems and had to postpone the release. With such high demand, they were pushed hard to meet the deadline. They continued to barrel forward, even when their own developers began raising large red flags about possible security concerns.  

Essentially, they fell victim to this familiar Venn diagram:


The Takeaway

So, what’s the lesson we can learn from this whole situation?  

These circumstances show the importance of a solid foundation when constructing digital developments. There is a world of hostile parties out there looking to steal and exploit. Fortunately, in this scenario, the threat was removed before any serious damage was done. However, the potential for disaster remains in the future when corners are cut.  

We never cut corners at WJ. We deliver quality websites that are attractive, functional, and – of course – secure. We even offer ongoing security audits and patches in order to protect your data and keep your site compliant with due diligence requirements. If your company is looking to update your online presence, our digital team is always here to help you design something special.