All In One SEO Pack Vulnerabilities Found, Upgrade Recommended

all in one seo pack logoIn news that popped up all over the web in recent days, the WordPress plugin All In One SEO Pack contains several security vulnerabilities that could put users’ sites at risk. Yes, SEO is very important, but so is keeping your website safe. Let’s take a look at what the issues are and what can be done to stop them.

Researchers from Sucuri, who were conducting a code audit when the problem popped up, were quoted in a PC World article from Monday as saying, “If your site has subscribers, authors, and non-admin users logging into wp-admin, you are at risk. If you have open registration, you are at risk, so you have to update the plugin now.” Not updating the plugin could prolong the security issues that exist.

The flaws are pretty major too. PC World said, “One of the two flaws discovered by Sucuri can be exploited by a regular user, like an author or a subscriber, to modify a post’s SEO title, description, and keyword meta tags created by the plugin. If used maliciously, this could result in damage to a site’s search result ranking. However, the vulnerability can also be combined with a second flaw to inject malicious JavaScript code on the administrator control panel that would execute when the page is loaded.”

When we checked the All In One SEO Pack’s download page on WordPress’ website, it was Version 2.1.6, which is the corrected version. The plugin as a whole has had an amazing 18.5 million downloads throughout its lifetime, including almost 4,000 on Monday alone and 26,000 the day the issue was exposed. You can see why security flaws in it could be so damning: the plugin is used by a bundle of sites across the internet.

If you’re not running Version 2.1.6, you should upgrade post-haste. According to PC World, the latest version was released on Sunday, so if you’ve downloaded it since then, you should be fine. The plugin’s overall features include XML sitemap support, Google Analytics support, SEO on WordPress e-commerce sites, and automatic optimization of titles for Google and other search engines. It’s a massively popular plugin.

In several news stories we checked out covering the All In One SEO Pack’s issues, users recommended the Yoast WordPress SEO plugin, which according to its website has been downloaded 10 million times. One user, for example, wrote, “This is just another in the long list of reasons why we advise our customers against using All In One SEO. While the plugin was great at one point, it has been lagging behind Yoast’s WordPress SEO plugin for quite some time now. If you’re still using AIO, this is a great excuse to switch over to Yoast.” ThemeSquirrel has reviewed another option called Smart SEO.

timthumbWordPress’ widespread use makes it a major target for hacker attacks. One of the most prominent security issues popped up in 2011 via TimThumb. CNN explained, “In this attack, hackers exploit a security flaw in a popular file used by WordPress and other website-building platforms to crop and resize images (Timthumb.php, thus the name).”

CNN added, “Hackers use the security hole to install malicious code or files into a website or server. From there, they can launch spear phishing campaigns and denial-of-service attacks, where hackers overwhelm a website’s server by flooding it with requests, making the site unresponsive.” Google blacklisted some sites that suffered from the hack.

According to another article, TimThumb attacks continued for as long as a year after the problem was exposed, which is evidence why it’s important to update your WordPress plugins and programs as often as humanly possible.

We’ll continue to bring you the latest WordPress news right here on ThemeSquirrel.