HeartBleed Is A Serious Security Threat - Please Read

[Bec]

ALERT IS NOT JUST FOR WORDPRESS

There is serious vulnerability which has been dubbed HeartBleed in the OpenSSL library which is what most sites on the internet use to allow their visitors to connect securely to their websites. On a scale of 1 to 10 when it comes to security vulnerabilities for WordPress site owners, HeartBleed is an 11.

The bug allows remote attackers to read 64k of memory of systems running the newest versions of openssl which do not contain the fix. That means an attacker can read your server's memory and pluck out usernames, passwords, the secret keys of your SSL/TLS encryption to crack secure communications and other sensitive information.

Apache and Nginx are the most popular web servers on the Internet and they are the largest users of openssl which contains this vulnerability. Together they comprise 66% of market share of all servers on the Net according to Netcraft. These servers are by far the most common used for WordPress sites which is why HeartBleed affects so many WordPress sites.

What to do:

If you don't run a WordPress site that uses HTTPS (which lets your users connect securely using their web browser) then you don't have to worry about this.

If you do have HTTPS enabled on your WordPress site, even if you aren't transmitting sensitive information, you need to respond to this threat immediately. Here is what you need to do about HeartBleed as a WordPress site owner:

If you use a hosting provider, as most WordPress site owners do:

If you use a hosting provider then you usually don't control your site at the operating system level. So check with your WordPress hosting provider to find out TWO things:

Were they vulnerable to HeartBleed?
Have they fixed it?

If your WordPress hosting provider was vulnerable to HeartBleed then you need to ask them if they have revoked and reissued their SSL/TLS site certificates. The reason they need to do this is because the SSL/TLS private keys for your site may have been read from server memory and compromised.
( Pay attention those of you running Wordpress as a Paysite CMS with payment processors)

If they haven't fixed it then they need to fix it urgently because it has been 2 days since the public (and some are saying irresponsible) disclosure of HeartBleed.

If your WordPress hosting provider was vulnerable to HeartBleed, you need to change all admin passwords on your site and you need to email all your users and ask them to change their passwords. The reason for this is because our server memory was temporarily readable by any attacker and they may have read user passwords or other sensitive info from your memory. For example, the popular site ArsTechnica has been hit by this issue and is asking their users to change their credentials.

The larger impact of this vulnerability

While your WordPress site may be affected and may have been targeted, it's more likely that high profile sites would have been targeted to steal user information and decrypt secure channels. With that in mind it's important that you change your usernames and passwords on the Net, particularly sites that you have signed into since April 7th when the vulnerability was released.

If you run your own WordPress site at the operating system level:

The official HeartBleed vulnerability announcement is on http://openssl.org. NOTE: It is so slammed with people trying to access it, it isn't loading at the moment

OpenSSL versions 1.0.1 and 1.0.2-beta releases are affected including 1.0.1f and 1.0.2-beta1. Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

[jIgG]

meh

I have two-factor authentication on any sites I care about, nobody can log in if they don't have my phone which is a problem when I don't my phone

[rawTOP]

FYI - I know a lot of us are on NatNet. Apparently, only 15 of the 3,000+ servers they manage had a problem with Heartbleed. It might just have been a matter of luck on their part, but it was still nice to hear.

My issue with two factor authentication is that it's often impossible when you have separate accounts for person and porn (e.g. Facebook only lets a cell phone be associated with one account at a time). How do you guys get around issues like that?