Yet another serious server vulnerability was discovered and announced on Wednesday (24th September 2014) that allows attackers to execute any code on affected servers.
Please note that this is not directly a WordPress security vulnerability, but rather a vulnerability on those servers that host your WordPress sites.
This is significantly more serious than the Heartbleed problem reported a few months back and you should take all the necessary action to verify your web servers.
How to test your web servers
If you have administrator shell access to your web servers, this is the simplest way to test.
If you don’t have this level of access, but would like to use your web hosting to test this, you can do so quite easily though the iControlWP code snippets feature.
If the server hosting your site is secured already and isn’t vulnerable, you’ll simply receive a response from this code snippet saying:
“Test For ShellShock Finished”
Otherwise, you will also receive a message indicating your server is vulnerable.
How to patch against this vulnerability
Use the links above to learn about how to patch against this ShellShock security vulnerability.
It’s normally a simple matter of running either, depending on your server flavour.
- yum update bash
- apt-get update && sudo apt-get install –only-upgrade bash
If you don’t manage your server directly, contact your hosting provider and get them to patch immediately.
We will update as any new developments are released.