(XSS)
Again
WordPress users with the Advanced Custom Fields plugin on their website should upgrade after the discovery of a vulnerability in the code that could open up sites and their visitors to cross-site scripting (XSS) attacks. A warning from Patchstack about the flaw claimed there are more than two million active installs of the …
"Casey Ellis, founder and CTO at security crowdsourcer Bugcrowd, told The Register that anyone whose WordPress site is hacked should migrate it to a SaaS host, where the security maintenance is outsourced to a third party and a web application firewall can be put up in front of the site."
Or....
Turn on Auto updates.
Install a backup solution
Install a WAF.
Stick it behind Cloudflare or Akami.
Not everyone's site is worth spending hundreds of Pounds a month on.
True, but all of these measures could easily turn into hundreds of pounds anyway, depending on the size and traffic of your website.
Also, weird that he only recommends the migration to owners of hacked sites, surely you'd want to do that *before* you get hacked if you're serious about security? (yeah, I know...)
I like to apply some critical thinking when numbers are thrown around. I advise everyone to do the same. That way you work out that if politicians or newspapers are to be believed there are 10 paedophiles per bush for them to jump out of in the UK and other such nonsense.
2 million affected sites sounds a lot. I might just believe 2 million installs of Wordpress. But then we have about 8 installs over various dev, staging and test environments.
They have picked this up from WordPress Plugin Site
The developers our Marketing team use love using it (No idea why), so I would assume for a plugin this old that would be about right.
Exactly what people have said about every other WordPress plugin vulnerability.
No one has to use them. But people do. This is not the fault of the WordPress developers, except that they opened the door.
There's no cheap, simple fix for this problem. "Don't use plugins" is not a fix, because the problem is other people deciding to use plugins. It's all just part of the tremendous mess the industry has made of the Web, starting with Netscape's decision to stick LiveScript into the browser, and Microsoft's to invent DHTML (compounded by Microsoft's invention of XHR, and Google's popularization of it).
"https://idlewords.com/2009/09/how_to_not_get_your_blog_hacked.htm"
Good find, and agrees entirely with my thoughts on the subject. I don't have any sites up at the moment (though I might have in a few months, depending on time etc) but last time I faffed with websites I used WordPress and seemed to spend a LOT of time updating WordPress, plugins, themes and the like. And still they got hacked.
For what I needed, static sites would have been perfectly adequate - small, fast, virtually unhackable. Of course, that's harder to do if you want dynamic content, but I don't and static is the way to go.
"Any chance of convincing Cloudbase Commander to try a static blog system running on a staging server inside the firewall?"
I've seen a few mentioned, but I've no be idea if they're any good. Any suggestions?