All In One SEO, the popular WordPress optimization plugin was recently found to have security vulnerabilities that left any websites using it open to attack. Read on to find out what the problem was, how it was fixed, and what can to do to avoid it in the future.

The Plugin
A spot on the first page of Google is a huge deal for any website.  Ranking highly for targeted keywords helps websites bring in the kind of users they try so hard to reach.  The desire to please the Google gods has lead over 20 million WordPress users to download All In One SEO.

This popular plugin developed by Semper Fi lets users optimize title tags, generates meta data, helps avoid the SEO sin of duplicate content, and much more.  Easy enough for a beginner while still offering advanced settings for experts, All In One SEO has become a near automatic choice for many users.

The Problem
On May 31, 2014 Sucuri, an internet security firm, announced they had found two flaws in the code of All In One SEO.  The first opened sites up to a privilege escalation attack.  This would allow users without administrator rights to make changes to the plugin’s settings.  These changes could negatively affect a site’s Google rankings.

The second, and much more serious vulnerability, left sites open to cross site scripting attacks.  Hackers exploiting this opening could inject malicious JavaScript code into the WordPress Admin panel.  Once the code is installed it could be used to change admin passwords, create backdoors to the site’s code, or involve the site in a DDoS attack.

The Solution
WordPress users have dealt with security issues like this before.  One of the most common ways hackers gain access to WordPress pages is by finding holes in the security of plugins and themes.

The good news?  There is an easy way to protect your site against this kind of attack.  When developers learn of vulnerabilities in their code, they quickly release updates to patch the problem.  As a site owner, you must make it a priority to keep all plugins and themes you install up to date.  Also be sure to uninstall any plugins you are no longer using.

Understanding the need to update your site and actually doing it are two entirely different things.  Some plugins and themes seem to require weekly updates leaving even the most well intentioned webmaster at risk of missing an update, leaving his site open to attack.

If you’re looking to ensure you site is 100% up to date and secure, without the constant maintenance required to keep it that way, consider a WordPress maintenance package from Wurdey.  By completing daily updates along with backups and regular maintenance, Wurdey takes care of the mundane, leaving you to focus on the important work of making your site great.