Unless you have been under the bed for the past week, you cannot have watched any news program and not seen a major online problem called Heartbleed. This thingy is actually pretty major in the ‘big picture’ of internet stuff. It is a really serious vulnerability named HeartBleed (great marketing by the techies there, scary name huh?) in the OpenSSL library which is the program/code that most websites on the internet use to allow their website visitors to connect securely to their websites. When it comes to security vulnerabilities for WordPress site owners, Heartbleed is a DefCon 5!
Million websites has been marked as vulnerable to the attack and as security expert Bruce Schneier said in his blog
“On the scale of 1 to 10, this is an 11”.
Heartbleed is a catastrophic bug in OpenSSL version 1.0.1 and 1.0.2 Beta, a serious security vulnerability in the Internet history.
So what does it ACTUALLY DO?
This Heartbleed bug allows remote attackers to read 64k of memory of systems running the newest versions of openssl which do not contain the fix. That means an attacker can read your server’s memory and pluck out usernames, passwords, the secret keys of your SSL/TLS encryption to crack secure communications and other sensitive information.
In normal speak it means that your webhost sever has lost ‘bits’ of information (yes think GoDaddy, Bluehost, HostGator etc).
Now lets be clear here, this is not some dodgy little man in a room looking at data finding usernames and passwords! It’s a big-bad-machine-computer pinging sever worldwide to see what it can find and storing it all for later (side note, NSA in USA was one of these big-bad-machine-computer thingy’s, and apparently has known about this for 2 year and has just exploited it, not protected the public from it.)
Test if your site is vulnerable at all to HeartBleed
To solve your curiosity go here to test if your site is vulnerable at all to HeartBleed. It has been shouted that it is probably not legal to test websites that don’t belong to you, so don’t do that (basically this is checking if someone’s site is open to being hacked…).
So onto the real question of “is your WordPress website vulnerable?”
Luckily, most of us run ‘unsecured’ publicly-open websites i.e. we have http at the start of the web address and not https. Unless you have https on your website, you are pretty safe so far in terms of what you have to do with WordPress.
Now saying that, your server/web host almost certainly DOES use https secure logins doesn’t it?
Just follow though this checklist to ease your mind:
- Use this link to check if your site is affected: Heartbleed Checker by LastPass (this checker is different from other checkers — it is checking if you were at risk in the past, and if steps have been taken to ensure you’re currently safe, and if you should change your password, other checkers are focused on is a site currently exploitable — that’s also useful but less likely to be the case for anything but the smallest sites.)
- If your site collects orders in ecommerce/credit cards, and therefore is probaby using OpenSSL, it probably is vulnerable, then you should immediately update your SSL certificate for your server (ask your host/the company you pay annually for SSL/TSL Certificate).
- Once your host been patched server side, then it’s HIGH time to tell your users to change there passwords immediately just in case
How to protect your site?
The bug allows remote attackers to read 64k of memory of systems running the newest versions of openssl which do not contain the fix. That means an attacker can read your server’s memory and pluck out usernames, passwords, the secret keys of your SSL/TLS encryption to crack secure communications and other sensitive information.
So what Has the Army of Flying Monkeys done?
What about us at Army of Flying Monkeys? Well first thing we all did was sit on our hands. Sounds silly doesn’t it? Well after a few glasses of wine we talked through it all. We didn’t know which sites were fixed or not. So there was no use changing all our passwords, and then have to do it again!
Turns out we are completely safe from Heartbleed and you can rest assured.
What about personally, what did the Mejor Tribe do?
What about us at Army of Flying Monkeys? Well first thing we all did was sit on our hands. Sounds silly doesn’t it? Well after a few glasses of wine we talked through it all. We didn’t know which sites were fixed or not. So there was no use changing all our passwords only to have to do it again.
You think YOU have a lot of passwords and logins, think about the net-geeks like us!
So we waited until Monday then went through an did the big cup of coffee and went through all our sites. (largest member of Tribe with most logins and passwords was Tina, she changed 413 passwords!).
However we have to admit that because of our secure Password Manager, it was a bore, but actually pretty simple. See our recommendation below to see how we have manged our passwords since last year…
Our Final Recommendation: LastPass
What do we suggest on this issue is simple, keep calm and now is the time to update all your passwords. Yes we recommend you change ALL passwords for major accounts…
Simply, the Heartbleed bug is pretty techie geeky complex. Instead of spending the next few hours checking ALL your websites to see if they’ve plugged the vulnerability, there is an easier solution: Start using LastPass.
LastPass, if you’ve never used it before, is the best cross-platform password manager in the world — and it’s free to boot. LastPass uses a different password for each of your various web apps and services, so that even if hackers get their hands on one password, they can’t go any further.
More importantly, though, LastPass now includes a tool that checks all of your websites to see if they are vulnerable to Heartbleed, and whether they’ve updated their security certificates.
If you use a large number of web services, and lets be honest we ALL do, it will take some time to change all of those passwords over to the LastPass Vault, but it’s really worth it. Really, given the dodgy security practices of many online companies, and the ridiculous regularity of their databases getting hacked, you should use be using a password manager like LastPass if you care about your online security and privacy.
