WordPress plugin Really simple security lek
If you have installed the WordPress plugin Really Simple Security, you should urgently update it to the latest version 9.1.2 or higher as soon as possible to protect your website. In this blog post, we report on the leak and how it occurred.
Very simple security leak
Malicious people can exploit a leak in this plugin that allows them to take over the entire website. This vulnerability has created an authentication bypass vulnerability. This is a vulnerability that allows an attacker to access parts of a website that normally require a username and password without having to provide their credentials. The vulnerability, specific to Really Simple Security, allows an attacker to access the account of any registered user of the website, including the administrator, simply by knowing the username.
This vulnerability is known as an "Unauthenticated Access Vulnerability", one of the most serious types of vulnerabilities, as it is generally easier to exploit than an "authenticated" vulnerability, where an attacker must first obtain the username and password of a registered user.
Wordfence has issued an advisory about this, which can be read below: "The Really Simple Security (Free, Pro and Pro Multisite) plugins for WordPress are vulnerable to authentication bypasses in versions 9.0.0 through 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function.
This allows unauthenticated attackers to log in to the site as an arbitrary user, e.g. as an administrator, if "two-factor authentication" is enabled (disabled by default). Wordfence blocked 310 attacks targeting this vulnerability in the last 24 hours." So this is a serious leak, this plugin is installed on 4 million WordPress websites worldwide and therefore requires many users to do something about it immediately. Update the plugin immediately, and also consider enabling automatic updates for the plugin. Then all further updates will also be installed immediately as soon as they are released.
Security for your WordPress website
To keep a WordPress website secure, it is important that you keep up with updates and critically check which plugins and themes you have installed. The list of plugins and themes that you have installed on your website should always be kept to a minimum and any inactive components that you have left on the website should be removed.
This way you keep the website free from contamination and ensure that your website runs optimally. Installing many plug-ins is also always a risk, as these plug-ins should always be kept up to date and work together. As a rule, we recommend not using more than 8 plug-ins within the WordPress website. And always check critically how often these plug-ins are updated and whether their ratings are good.
If a plug-in isn't updated for months, that's often a sign that it's wiser not to install it on your website. Furthermore, while you can install additional plugins to extend the security of your WordPress website, for example with Really Simple Security. But as you'll see in this post, these plugins themselves can also be the culprit. A strong random password for your WordPress user and regular backups of your WordPress website are still the two methods you can rely on the most in this regard. Also, make sure that your backups are stored in multiple locations, such as once on the hosting space, once locally and once on a third-party cloud storage.
This way, you can also rely on a backup of your WordPress website in almost any scenario. So keep your website up to date and find out about the latest developments in the themes and plug-ins you use - that way your WordPress website is safe!
Source: https: //www.searchenginejournal.com/wordpress-security-plugin-vulnerability-endangers-4-million-sites/532701/