Security Update | Duplicator Plugin, Symantec Certificates

October 2, 2018

Older WordPress Duplicator Plugin Leaves Websites Open to Attack

File Name: Duplicator
Author: Snap Creek Software
Versions Affected: Before 1.2.42

Problem: The WordPress Duplicator plugin makes it easy to copy websites between servers. It’s a great tool when moving a site from one host to another as you don’t need FTP access or database skills.

Older versions of “Duplicator” left files on new websites that helped hackers later take over that website. The files, installer.php and installer-backup.php , have information that allow hackers to overwrite the configuration settings for a website. These files were left in the highest level of the website, called the root level.

The vulnerability works because the older software allowed hackers to replace the database connection information found on the file remotely. With a simple command sent through the website’s URL, a hacker could shutdown a website by simply blocking access to the website’s database.

Snap Creek never intended for the files to remain on the website. Even in the older versions of the plugin, Snap Creek alerted administrators that the files were left over and needed to be removed. Still, if administrators ignored the warnings, then the files represented a security flaw.

Solution: Upgrade the plugin to any version newer than 1.2.42 (their free version).

Even with the upgrade, administrators should still remove the two files left over from the process. WordFence’ blog noted that even though the software fixed some of the security issues, it could still be used to crash a website — should an administrator leave the files exposed for public viewing.

We suggest deleting the plugin after use. Then, log into your website through either FTP or CPanel and manually delete the files.


Chrome Now Ignores Older Security Certificates from Symantec

File Name: Symantec SSL/TLS Security Certificates
Author: Symantec
Versions Affected: Symantec-issued certificates issued prior to June 1, 2016

Problem: Starting with new browser updates for download in October, Google Chrome and Mozilla Firefox will no longer recognize Symantec certificates as trusted. Symantec also sells its certificates under the brand names: Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL.

The “green lock” alerts viewers that your site is secure. Enter “HTTPS” before your domain name to view your website securely. Having a certificate ensures that hackers cannot monitor traffic between the customer’s browser and your server. It also ensures they cannot inject different content before it reaches a browser, a hack called the “man in the middle” attack.

The reason behind the change is that Google and other companies lost confidence in Symantec’s certificates. According to Google’s blog, “Symantec had entrusted several organizations with the ability to issue certificates without the appropriate or necessary oversight, and had been aware of security deficiencies at these organizations for some time.”

Symantec has since sold their certificate business to DigiCert. DigiCert is a trusted certificate provider.

Solution: If your certificate is from Symantec, replace it.

Check your browser console (Ctrl+Shift+J in Windows and Linux, or Cmd+Shift+J on Mac for Firefox and Cmd+Option+J for Chrome) to test your certificate. The following is an example of a good certificate, viewed from Chrome’s browser console. Problem certificates will show red.

Symantec Certificates No Longer Recognized

Haven’t changed your certificate yet? Expect new browsers to soon display a red alert in the URL bar, declaring that your website is not secure.

Contact Visual String anytime for more information about how to keep your WordPress website secure.

Categorised in: