Is My WP Site Vulnerable To WordPress Yoast SEO Hack?

Is My WP Site Vulnerable To WordPress Yoast SEO Hack?

Yoast SEO Version Older Than 1.7.4 Should Be Updated Immediately

According to Yoast and Wordfence, there is a vulnerability in the “WordPress SEO by Yoast” plugin prior to the 1.7.4 version. For most people it is not really an issue as long as you have been maintaining your site and updating your plugin appropriately.

What is the risk to my WordPress Website?

Without trying to get too technical, this is a CSRF vulnerability. In English, this hack is incredibly hard to exploit because it requires tricking an admin into loading a link from their own website where they are logged into. For our managed website clients at DIR Incorporated, it is literally a non-issue because we are already using the test version ahead of the 1.7.4 update known as the Yoast 2.0 RC Beta.
Yoast SEO 2.0 RC - Beta Update

So Who Might Be At Risk?

For someone website owners who get a WordPress website without managed supports, and then abandon their own efforts in maintaining their WordPress Websites are a bit more at risk. While the current issue is not too serious enough and Yoast has released a fix in 1.74, this vulnerability is getting a lot of press on sites like Search Journal, which mean an increased awareness amongst hackers. This type of news tends to spread quickly as hackers try to dig deeper.
Here’s the latest version of the Yoast SEO 1.7.4 plugin — we highly recommend you update now.
Yoast SEO 1.7.4 update vulnerability fixed

WordPress.org forced an automatic update for many

Because of the potential severity of the issue, the WordPress.org team put out a forced automatic update. If you did not specifically disable those and you were:

  • running on 1.7 or higher, you’ll have been auto-updated to 1.7.4.
  • If you were running on 1.6.*, you’ll have been updated to 1.6.4.
  • If you were running on 1.5.*, you’ll have been updated to 1.5.7.

If you are on an older version, Yoast cannot auto-update you, but you should really update for tons of reasons. Of course you should really move to 1.7.4 as soon as you can anyway.

How to get my WordPress plugins to update automatically?

In the future, you can have your WordPress plugin updates taken care of automatically by simply visiting the “Dashbaord” section of your dashboard and going to Updates tab. If you don’t have the auto-update feature turned on, it’s strongly recommended that you update the SEO by Yoast plugin on all sites where you have it installed.

Wordpress Dashboard Auto Updates

Why would someone hack a plugin?

According Wikipedia, WordPress is used by more than 18.9% of the top 10 million websites as of August 2013, more than 60 million websites using WordPress, and over one million websites used by Drupal.

Yoast SEO Vulnerability

WordPress SEO by Yoast is by far the most popular SEO plugin within the WordPress directory, with over 16 million downloads. In August of 2014, Brian Rideout of Bang Website Design, wrote “Hackers,… tend to target opportunities where an exploit or weakness will have the most opportunities for damage. For instance most viruses and malware are targeted at the Windows platform since roughly 95% of us use Windows as our desktop operating system. So when Hackers look for weaknesses in websites… which platform do they target? You guessed it, WordPress. Because if they find a way in, they can get into LOTS of sites.”

The reality is that WordPress, like Authorize.net, Chase Visa, eBay and Well Fargo are very popular and therefore an “Automatic Target” as stated by Mr. Rideout, however, this does not mean you should stop using WordPress, anymore than you should stop using your Chase Visa while shopping on eBay, or when paying your Well Fargo mortgage online all of which use Authorize.net as a payment processing gateway.

What it does mean is use precaution, and keep your site well maintained.

If you are using a CMS other than WordPress, DIR Incorporated recommends Touchdown Tech in Bremen, Indiana for hosting and security updates.

Key Takeaways:

  • WordPress is popular.
  • Wordpess SEO by Yoast is one of the most popular WordPress plugins.
  • Yoast acknowledge the issue, and fixed it quickly.
  • WordPress.org supports Yoast and issued and auto-update for millions of users.
  • Update to the newest version 1.74 ASAP
  • DIR Incorporated clients already using 2.0 RC BETA version of WordPress SEO by Yoast

Please share with your colleagues, and use the comments section below to tell us what you think, about the WordPress Yoast SEO Hack, or other related topic.