WordPress.org

Support

Support » Plugins and Hacks » Heart Bleed Bug

Heart Bleed Bug

Viewing 12 replies - 1 through 12 (of 12 total)
  • I second this question!
    Is the actual OpenSSL code included in this plugin?

    I was also curious about Heart Bleed and Infinite WordPress.

    It concerns every OpenSSL implementation. Therefore also wordpress and nearly every other ssl-secured page.

    Thats why Bruce Schneier said: “Catastrophic is the right word. On the scale of 1 to 10, this is an 11.”

    Actually OpenSSL is installed on your Host Server so your Host should have patched this already, but it does not hurt to ask them.

    This article explains what to do about the Heart Bleed bug concerning WordPress sites as well as other hosted accounts`:

    https://thewpvalet.com/heart-bleed-security-best-practices/

    Cheers!

    The article ONLY applies to anyone who has purchased an SSL Certificate. If you have never purchased an SSL Certificate then this does NOT apply to you.

    If you have purchased an SSL Certificate in the past then the article is very well put together and explains very clearly what you need to do next.

    AITpro, that is simply not true. All tls and ssl certificates whether purchased from a CA or not were affected by the Heart Bleed bug if they were installed on a server with the unpatched OpenSSL 1.0.1. Any shared ssl on a shared server would have been affected as well. The version of OpenSSL 1.0.1 needs to be patched then the ssl recreated because the SSL crt and key may have been exposed. The likelihood that they would be exposed is low, but an attacker with knowledge on how to exploit the Heart Bleed bug can read data in the servers memory which can include crt, key and login usernames and passwords. It depends on the data exposed at the time that the attacker is exploiting the bug.

    Yes, the Host will do that then and nothing needs to be done by the end user. Combine both of my thread responses and you have the complete answer. Host patches OpenSSL on their Servers and any shared SSL Certs. Users who have purchased SSL Certificates need to get a new one and do the steps in the link to the article you posted.

    Also as far as I know a valid SSL Certificate MUST have a Trusted Root Authority and MUST contain the domain name of the site in the Cert. I don’t believe that any other type of SSL Certificate is actually considered a valid/real SSL Certificate. I assume a self-signed or other invalid type of SSL Certificate would not apply.

    That’s correct AITpro. A valid SSL certificate needs a trusted root CA for it clear warnings and have that security level. However, the heart bleed bug affected all unpatched OpenSSL 1.0.1 and the any certificates created and served by that software.

    Also, most trusted root CA that you buy SSL’s from will reissue your SSL free of charge. Just contact them and ask on how to process an SSL reissue.

    In regards to the whether the host will do everything expected, well, that is really a question of trusting your host and service provider. I can safely say that any serious host or online service that was affected would patch the OpenSSL software, revoke all certificates, reissue the certificates and reset all critical login credential passwords or at least inform the account holders that they should update their passwords to mitigate the possibility that a hacker gained those credentials via the heart bleed exploit. However, verifying that directly with your host or service provider is best practice.

    Yep, I agree.

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘Heart Bleed Bug’ is closed to new replies.