WordPress Contact Form 7 leak
There is a serious leak in a widely used contact form plugin that gives malicious people the chance to take over your WordPress website. Here are the steps you need to follow.
Contact Form 7 is a popular solution to easily create contact forms on your website. The plugin is installed and active on over 5 million websites. And therefore is also an attractive target for malicious. In this leak it became possible to upload malicious files to the website. Thus, this allows to install malware or many more other nasty things.
Contact Form 7 should therefore be updated as soon as possible via the plugin page within WordPress to the latest version, in which this leak has been plugged. The latest safe version of Contact Form 7 is now 7.5.3.2.
All versions below 7.5.3.1 and the version itself should be updated as soon as possible. This is for the safety of your website.
Discovered and solved quickly
The security hole was found by Astra, a WordPress security company, and then reported to the makers of Contact Form 7. After that the security hole was solved within 1 day and the update was released for installation. So the leak was discovered on December 16 and the update was released on December 17. So a very fast response and also result. The full release of the plugin can be read in more detail here:
The vulnerability was not exploitable for all websites that have simply Contact Form 7 installed, as the file upload option had to be enabled in the contact forms. Nevertheless, it is recommended to update to the latest version as soon as possible.
Keep up to date with WordPress Security
With a WordPress website, it is essential that you maintain and update the website. With almost no website it is the case that after creating and designing it you can leave it as it is for years. Once you don't update a website then it is asking for trouble. Because WordPress is one of the most popular ways to create a website it is also an interesting target. Because of this it is essential that you keep up with the plugins, themes and WordPress version itself. And also the hosting space itself.
You do this by using a clear update process that you also stick to. Every update process starts with the right backup strategy for your website. Whether this is weekly, daily or once a month. What we always recommend is to take 5 minutes for this every month. So that you have your backups in three locations. Inside your hosting, outside your hosting and on your local PC. This can also be achieved with our backup service and packages that we offer on MijnBackupPartner.nl.
Furthermore, we would also like to take the opportunity to put the spotlight on our Managed WordPress hosting packages. Here we take care of all the technical stuff for you. And you can focus on making your website successful.
Besides backups, keeping up with updates is also necessary for any webmaster using WordPress. Follow WordPress and used plugins / themes on social media and make sure you stay up to date with important changes. Keeping up to date with the latest news is not only fun but also essential to ensure that your websites and those of your clients stay online. A good example of a social media subreddit is, for example, /r/wordpress. Where next to updates and latest news also questions etc are handled.
A secure WordPress website
Furthermore, it is important to keep a WordPress website secure by minimizing the number of plugins. Besides being dependent on many third parties for the security of your website, it is also better for loading speeds. More plugins equal more things that need to be loaded for your website. This will result in longer loading times.
So limit the number of plugins to the minimum you need. And remove plugins you hardly use from your website.
Not every plugin maintainer is as fast in processing security updates as Contact Form 7 was in this update. Therefore it is also important to only install plugins that also have a strong team behind them. Which is well reviewed and not versions behind.
With often those small steps and work you make a WordPress website not only more secure, but also faster to use and save yourself a lot of work should something unexpectedly go wrong.