Yet another serious server vulnerability was discovered and announced on Wednesday (24th September 2014) that allows attackers to execute any code on affected servers.
Please note that this is not directly a WordPress security vulnerability, but rather a vulnerability on those servers that host your WordPress sites.
This is significantly more serious than the Heartbleed problem reported a few months back and you should take all the necessary action to verify your web servers.
How to test your web servers
If you have administrator shell access to your web servers, this is the simplest way to test.
I can lay it out here but I’d just be repeating what is already very well explained here and here and here.
If you don’t have this level of access, but would like to use your web hosting to test this, you can do so quite easily though the iControlWP code snippets feature.
Here’s how:
If the server hosting your site is secured already and isn’t vulnerable, you’ll simply receive a response from this code snippet saying:
“Test For ShellShock Finished”
Otherwise, you will also receive a message indicating your server is vulnerable.
How to patch against this vulnerability
Use the links above to learn about how to patch against this ShellShock security vulnerability.
It’s normally a simple matter of running either, depending on your server flavour.
- yum update bash
- apt-get update && sudo apt-get install –only-upgrade bash
If you don’t manage your server directly, contact your hosting provider and get them to patch immediately.
We will update as any new developments are released.
Thanks again, Paul & team, for being aware & proactive in taking care of your clients’ websites! I sure appreciate you guys!
View CommentHi Lynn,
Thanks for comment and really glad you like what we’re doing! Hope you get your sites and servers all secured without a hitch!
Cheers!
View CommentPaul.