Security vulnerabilities are happening more and more, again this week there are been two serious security issues revealed.
iThemes, creators of the very popular BackupBuddy and iThemes Security plugins have had their membership systems compromised, and it appears likely that hackers have gotten away with up to 60,000 users email addresses and passwords. If you are an iThemes customer, you should immediately reset your password — your previous password won’t work any more, as iThemes have disabled them — you must reset your iThemes membership password before you can access your account. If you are a user of Backup Buddy, iThemes Security Pro, iThemes Sync or iThemes Stash then this affects you. Please go to the iThemes website and reset your password now.
Furthermore, if you use the password you had with iThemes for any other websites or systems (which you should never do), then you will also need to change the password for those sites. For this reasons we always tell our customers to never reuse passwords — create unique passwords for each website or system you use. We’ll say it one more time: never, ever reuse passwords.
Secondly, yesterday — September 25 — a serious vulnerability was revealed in the BASH shell application — dubbed ShellShocker. BASH is an extremely common command line utility used on just about every Unix based server in the world. If you host your WordPress site on a Linux server, then your server most likely has BASH installed.
As we constantly monitor security blogs and news sites we were informed of the issue and patched all our servers within minutes of receiving the notification — so all WP NET customers can rest easy — we’ve patched and tested that none of our servers are susceptible to this vulnerability. Whew.
If you host sites with another hosting company, you should immediately contact them and ensure that they are aware of the problem and are working to resolve the issue. If your host uses cPanel this is of particular importance as cPanel is reportedly prone to this vulnerability because they actually use CGI for some of their scripts within cPanel.