WordPress.org

Forums

WordPress HTTPS (SSL)
Heart Bleed Bug (13 posts)

  1. DoctorMicro
    Member
    Posted 1 year ago #

    Is the Heart bleed bug an issue with this plugin???

    https://wordpress.org/plugins/wordpress-https/

  2. biberkopf
    Member
    Posted 1 year ago #

    I second this question!
    Is the actual OpenSSL code included in this plugin?

  3. Dave333
    Member
    Posted 1 year ago #

    I was also curious about Heart Bleed and Infinite WordPress.

  4. stephanmonecke
    Member
    Posted 1 year ago #

    It concerns every OpenSSL implementation. Therefore also wordpress and nearly every other ssl-secured page.

    Thats why Bruce Schneier said: "Catastrophic is the right word. On the scale of 1 to 10, this is an 11."

  5. AITpro
    Member
    Posted 1 year ago #

    Actually OpenSSL is installed on your Host Server so your Host should have patched this already, but it does not hurt to ask them.

  6. andrebron
    Member
    Posted 1 year ago #

    This article explains what to do about the Heart Bleed bug concerning WordPress sites as well as other hosted accounts`:

    https://thewpvalet.com/heart-bleed-security-best-practices/

    Cheers!

  7. AITpro
    Member
    Posted 1 year ago #

    The article ONLY applies to anyone who has purchased an SSL Certificate. If you have never purchased an SSL Certificate then this does NOT apply to you.

  8. AITpro
    Member
    Posted 1 year ago #

    If you have purchased an SSL Certificate in the past then the article is very well put together and explains very clearly what you need to do next.

  9. andrebron
    Member
    Posted 1 year ago #

    AITpro, that is simply not true. All tls and ssl certificates whether purchased from a CA or not were affected by the Heart Bleed bug if they were installed on a server with the unpatched OpenSSL 1.0.1. Any shared ssl on a shared server would have been affected as well. The version of OpenSSL 1.0.1 needs to be patched then the ssl recreated because the SSL crt and key may have been exposed. The likelihood that they would be exposed is low, but an attacker with knowledge on how to exploit the Heart Bleed bug can read data in the servers memory which can include crt, key and login usernames and passwords. It depends on the data exposed at the time that the attacker is exploiting the bug.

  10. AITpro
    Member
    Posted 1 year ago #

    Yes, the Host will do that then and nothing needs to be done by the end user. Combine both of my thread responses and you have the complete answer. Host patches OpenSSL on their Servers and any shared SSL Certs. Users who have purchased SSL Certificates need to get a new one and do the steps in the link to the article you posted.

  11. AITpro
    Member
    Posted 1 year ago #

    Also as far as I know a valid SSL Certificate MUST have a Trusted Root Authority and MUST contain the domain name of the site in the Cert. I don't believe that any other type of SSL Certificate is actually considered a valid/real SSL Certificate. I assume a self-signed or other invalid type of SSL Certificate would not apply.

  12. andrebron
    Member
    Posted 1 year ago #

    That's correct AITpro. A valid SSL certificate needs a trusted root CA for it clear warnings and have that security level. However, the heart bleed bug affected all unpatched OpenSSL 1.0.1 and the any certificates created and served by that software.

    Also, most trusted root CA that you buy SSL's from will reissue your SSL free of charge. Just contact them and ask on how to process an SSL reissue.

    In regards to the whether the host will do everything expected, well, that is really a question of trusting your host and service provider. I can safely say that any serious host or online service that was affected would patch the OpenSSL software, revoke all certificates, reissue the certificates and reset all critical login credential passwords or at least inform the account holders that they should update their passwords to mitigate the possibility that a hacker gained those credentials via the heart bleed exploit. However, verifying that directly with your host or service provider is best practice.

  13. AITpro
    Member
    Posted 1 year ago #

    Yep, I agree.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • WordPress HTTPS (SSL)
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic