Serious WordPress Plugin Security Flaw Discovered Affects Millions Of Websites
The affected plugin is Really Simple Security, formerly known as Really Simple SSL. Website administrators use the plugin for the security features it provides to users, such as two factor authentication, login protection, and vulnerability detection. After its latest update there was an error in the way two factor authentication was implemented, leading to a vulnerability that allows attackers to take over an arbitrary account for any WordPress install that enabled this security feature.
To make matters worse, threat actors can maximize the damage they can cause because this “vulnerability is scriptable, meaning that it can be turned into a large scale automated attack, targeting WordPress websites.” Now that this vulnerability is public, it’s incredibly important for any website that uses this plugin to update as soon as possible, before malicious actors can begin to take advantage of the flaw.
This particular security lapse is a double whammy. First, a lot of users don’t keep up enough with updating their plugins, meaning many websites will fall victim to attacks exploiting the vulnerability. Second, is that users who went out of their way to enable a good security feature, two factor authentication, will be the ones who will potentially pay the price for having done the right thing.
Hopefully, users who have installed this plugin are informed of the vulnerability and apply the necessary update before anything bad happens. In addition, hopefully this experience doesn’t slow down the adoption of two factor authentication which, generally speaking, is a good security best practice.