WordPress SEO by Yoast Vulnerability

Recent security issues with the SEO WordPress plugin by Yoast

You may have heard about the recent security issues with one of the most popular WordPress plugins in the world. A problem was found in the widely-used SEO WordPress plugin by Yoast, which caused a great deal of concern amongst the IT community and WordPress users because it could have resulted in sites being hacked.

Yoast is arguably one of the most reputable WordPress developers in the industry, so it’s a sobering thought that even he can make mistakes. Once the security issue was found, an update to the plugin was promptly released, and the moral of the story is update, update, update. In other words, if you do not ensure that your WordPress version and all your WordPress plugins are updated on a regular basis then you only have yourself to blame if your site is hacked as a result.

The good news

There are some gratifying elements to this story:

The chap who identified the vulnerability (Ryan Dewhurst at WPScan) discretely contacted the Yoast team and (crucially), waited for them to release an update before publishing details of the problem to the public. A great example of ethics in IT – thank you Ryan.
The team at Yoast worked hard to issue a new release as quickly as possible whilst making sure that the problem was addressed.
Where possible, wordpress.org agreed to automatically update plugins for people – an unusual occurrence.

The bad news

Based on my experience of WordPress websites, I am willing to bet that there are thousands of people running WordPress sites with an out-of-date version of the Yoast WordPress SEO plugin, who are either oblivious to the problem or think that it won’t affect them. Thousands more probably have no idea that there site even has the Yoast SEO plugin installed on it, having “left that sort of thing” to their developer, or their website host.

Now the problem has been identified, hackers will be aware of it and they will know exactly how to exploit it…

What can I do to secure my site?

Go to your WordPress dashboard
Click on plugins in the left hand menu
If you see “WordPress SEO” in the list of plugins and if the details say it’s by “Team Yoast”, then you have this plugin.
If it doesn’t say “Version 1.7.4” before “by Team Yoast”, then you need to update the plugin as a matter of urgency.
Remember to back up your site FIRST.
If you don’t know how to take a backup of your site or how to update a plugin, then speak to your web developer. Like changing the oil in your car’s engine, you either need to learn how to do it yourself or pay someone else to do it, but you do have to make sure it is done.
Whilst you’re at it, check that you are running the latest version of WordPress. You can find out which version of WordPress you are running on your website by going to the main dashboard area and looking in the “at a glance” box at the top of the page. It should be 4.1.1. Anything else, and you are vulnerable to security issues, and you won’t be benefitting from all the latest WordPress functionality.

Is there anything else I need to know about updating plugins?

Be aware that if you are running very old versions of plugins and/or WordPress, then your site may break if you try to update everything.

What else can I do to protect my WordPress site?

Check your WordPress plugins on a very regular basis. The WordPress dashboard will tell you if updates are available.
Backup your site (both the files and the database), and then update those plugins! Having out-of-date plugins on your website is like buying a car and never putting any new tyres on it.
Alternatively, consider purchasing my WordPress Maintenance Plan to make sure you never have to worry about your sites security.

Originally posted 2015-03-24 12:06:20.