Twitter     Facebook
Hosting Discussion
 

Hosting Discussion > Web Hosting Forums > Web Hosting Discussion > [CLOUDFLARE] New Wordpress Vulnerability - protect your customers
forgot password?



FORUM SUPPORTERS:

Reply


Old
  Post #1 (permalink)   04-25-2013, 12:49 AM
HD Wizard
 
easyhostmedia's Avatar
 
Join Date: Mar 2011
Location: Northumberland, UK
Posts: 5,962
Send a message via MSN to easyhostmedia

Status: easyhostmedia is offline
Hi

Just got this email from Cloudflare.

Quote:
CloudFlare Partners:


There is a new serious WordPress vulnerability in certain versions of two popular WordPress caching plugins, W3TC and WP Super Cache. The vulnerability allows remote PHP code to be executed locally on a server for anyone running either of the plugins. An attacker could then execute code on the infected server.


CloudFlare has applied a rule to our network which automatically rotects all CloudFlare customers, including those on free plans. Details about the vulnerability are available at:


http://blog.cloudflare.com/w3tc-and-...-discove-17794

We strongly recommend advising your customers to upgrade their WP plugins immediately. As a precaution, consider enabling CloudFlare Free for any customer using WordPress, even if temporarily. We have an automated way for you to do so. Email partners@cloudflare.com if you are considering this option and we will guide you through the process.

Let me know if you have any questions,
Maria

Maria Karaivanova
Strategic Partnerships
CloudFlare maria@cloudflare.com

Twitter @mariakar | @cloudflare
__________________
Terry Robertson - CEO The Easyhost Media Group
PowerSSL - - We Secure your World
The Scamlist Forum - Fighting against scammers
 
 
The Following User Says Thank You to easyhostmedia For This Useful Post:
HostLeet (04-25-2013)


Old
  Post #2 (permalink)   04-25-2013, 03:24 AM
HD Addict
 
Join Date: Jul 2011
Posts: 110

Status: 1paket.com is offline
So what's your question?
__________________
Daniel Sorcik

http://www.1paket.com
 
 
 


Old
  Post #3 (permalink)   04-25-2013, 04:14 AM
HD Wizard
 
easyhostmedia's Avatar
 
Join Date: Mar 2011
Location: Northumberland, UK
Posts: 5,962
Send a message via MSN to easyhostmedia

Status: easyhostmedia is offline
Quote:
Originally Posted by 1paket.com View Post
So what's your question?
Its not a question.

Its another warning of yet another WP Vulnerability.

if you have not noticed WP has been attacked many times recently see Wordpress Brute Force Attack and How to SECURE your WordPress website!
__________________
Terry Robertson - CEO The Easyhost Media Group
PowerSSL - - We Secure your World
The Scamlist Forum - Fighting against scammers

Last edited by easyhostmedia : 04-25-2013 at 04:32 AM.
 
 
 


Old
  Post #4 (permalink)   04-25-2013, 07:12 AM
HD Master
 
Join Date: Mar 2013
Posts: 304

Status: bunnykins is offline
Wow second one in a very short time. Good thing I don't use wordpress.
__________________
I use cloudweb.com and powermonster.net for hosting my site http://otakuplayground.org.
 
 
 


Old
  Post #5 (permalink)   04-25-2013, 07:31 AM
HD Guru
 
Join Date: Mar 2013
Location: A2 HQ
Posts: 837

Status: Alex - A2 Hosting is offline
Thats a good thing of CloudFlare to offer such a service, then again its also a good way for them to get some new websites powered by CloudFlare .
__________________
A2 Hosting - Our Speed, your success.
US Web Hosting - UK Web Hosting - UK VPS Hosting
 
 
 


Old
  Post #6 (permalink)   04-25-2013, 09:01 AM
HD Wizard
 
easyhostmedia's Avatar
 
Join Date: Mar 2011
Location: Northumberland, UK
Posts: 5,962
Send a message via MSN to easyhostmedia

Status: easyhostmedia is offline
Quote:
Originally Posted by Alex - Arvixe View Post
then again its also a good way for them to get some new websites powered by CloudFlare .
If that was the case then they would not just target WP sites.
__________________
Terry Robertson - CEO The Easyhost Media Group
PowerSSL - - We Secure your World
The Scamlist Forum - Fighting against scammers
 
 
 


Old
  Post #7 (permalink)   04-25-2013, 09:06 AM
HD Master
 
Join Date: Mar 2013
Posts: 304

Status: bunnykins is offline
I had to turn off cloudflare because it was causing issues with the arcade I run.
__________________
I use cloudweb.com and powermonster.net for hosting my site http://otakuplayground.org.
 
 
 


Old
  Post #8 (permalink)   04-25-2013, 10:07 AM
HD Amateur
 
Join Date: Apr 2013
Posts: 79

Status: GCSolutions is offline
With a combined download of over 5 million. Of course not knowing how many sites are still active. That would stiill leave a mass amount of websites opened up for possiable infection.
__________________
G.C. SOLUTIONS - Hosting Quality Sites Since 2006. Experience Your Website On A Whole New Level
Build Your Own Virtual Data Center. Low Entry Cost - Free 14 DayTrail.
 
 
 


Old
  Post #9 (permalink)   04-25-2013, 10:46 AM
HD Wizard
 
easyhostmedia's Avatar
 
Join Date: Mar 2011
Location: Northumberland, UK
Posts: 5,962
Send a message via MSN to easyhostmedia

Status: easyhostmedia is offline
i would Cloudflare has done the correct thing, they found a further vulnerability in 2 WP plugins and created patches for these, but to use the patches the sites must have CF enabled.
__________________
Terry Robertson - CEO The Easyhost Media Group
PowerSSL - - We Secure your World
The Scamlist Forum - Fighting against scammers
 
 
 


Old
  Post #10 (permalink)   04-25-2013, 12:27 PM
HD Wizard
 
Join Date: Mar 2005
Location: Atlanta, GA
Posts: 2,264

Status: handsonhosting is offline
Yep, definitely good news for Cloudflare customers.

With regards to W3 Total Cache (which I use on some websites), the 0.9.2.9 version was released on April 17th (8 days ago).

So while there is a vulnerability, and Cloudflare has done a great job to patch the 0.9.2.8 version - anyone who is using it is already using OUTDATED SOFTWARE. Had they updated to the 0.9.2.9 version (as released 8 days ago), then they'd already be patched and not have a problem.

Cloudflare's patch is targeted directly at people who fail to keep their plugins and software updated to the latest releases (and there's a lot of those people too!)
__________________
Emerson Nogueira
http://www.HandsOnWebHosting.com
cPanel Web Hosting, Domain Registration, Managed VPS Servers
 
 
 


Old
  Post #11 (permalink)   04-25-2013, 12:52 PM
HD Wizard
 
easyhostmedia's Avatar
 
Join Date: Mar 2011
Location: Northumberland, UK
Posts: 5,962
Send a message via MSN to easyhostmedia

Status: easyhostmedia is offline
Quote:
Originally Posted by handsonhosting View Post
Cloudflare's patch is targeted directly at people who fail to keep their plugins and software updated to the latest releases (and there's a lot of those people too!)
thats true, i am sick of the monthly reminders of updated scripts, i think some people have the mentality 'if it aint broken then no need to fix'
__________________
Terry Robertson - CEO The Easyhost Media Group
PowerSSL - - We Secure your World
The Scamlist Forum - Fighting against scammers
 
 
 
Reply

Thread Tools

New Post New Post   Old Post Old Post
Posting Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On