WordPress Core and Plugin Update Needed (Updated)

Sucuri has recently announced the discovery of a XSS vulnerability that affects multiple plugins. At least 15 popular plugins are affected including Jetpack, WordPress SEO, Gravity Forms and more. At the time of the vulnerability disclosure the majority of the plugin authors have launched new versions of their plugins fixing the issues. The next day a security release (4.1.2) of the WordPress core itself was released.  It is reported to fix several security issues too.

Are SiteGround customers protected?

Due to the nature of the reported vulnerabilities, we can’t use our WAF (web application firewall) system to block potential exploit requests on server level. The problem resides within very commonly used functions of the app and such filter would interrupt greatly the normal functionality of your sites. That is why the solution in this case is a quick update of WordPress AND all its plugins.

All SiteGround customers, who use the defaults setup of our autoupdater will have both their core and plugins automatically updated in the next few hours. If you have installed your WordPress via our 1-click installers and have not changed the autoupdate configuration you will have nothing to worry about. We will soon notify you via email and then update your WordPress core application alongside with all plugins that have new versions.

All SiteGround customers, who do not use our auto-updater, but had a WordPress version higher than 3.7 should have already received a core WordPress update pushed by WordPress itself. However, this update has not changed the versions of your plugins, so it is highly recommended that you update all used plugins manually as soon as possible.

Once our auto upgrade procedure is over, all WordPress accounts will be scanned and if we discover outdated and vulnerable plugins additional actions will be taken to secure them.