BlogAid

Help for DIY Site Owners and Webmasters - WordPress, SEO, HTTPS, Security, and Performance

WordPress • SEO • Conversion
Security • Performance • Member Sites
  • Home
  • Blog
    • Current Posts
    • Archives
  • Classes
    • Classes & Consults
    • Member Site Help
  • Videos
  • Tips Tuesday
  • Site Services
    • Setup, Backups, Fixes
    • Site Service Requests
    • Site Audits
      • What’s In the Audit
      • Audit Request Form
      • Site Audit Testimonials
    • HTTPS Conversion
      • About the Service
      • HTTPS Request Form
      • Happy HTTPS Conversion Clients
  • Resources
    • Plugins
    • All Resources
    • Start Here with BlogAid
  • About
    • About MaAnna
    • Geek to Speak
    • Site Audit Testimonials
  • Contact
    • General Contact
    • Site Service Requests

PHPMailer Exploit in WordPress Core

December 27, 2016 by MaAnna Stephenson

TwitterFacebookGoogle+PinterestLinkedinReddit

WordPress Security Alert 

A new security issue has been found in the PHPMailer used to send emails from your WordPress site.

UPDATE 1/10/17 – The developer of the PHPMailer code has patched it for this vulnerability.

As reported in Tips Tuesday for Jan 10 2016, WordPress will not be creating a patch for it.

So hosts are now applying the patch directly from the developer.

You may get an email from your host reporting that they are taking this action.

UPDATE 1/11/17 – and the very next day WordPress rolled out 4.7.1, stating there was still no issue in the code, but just to be sure, they updated it anyway.

Following is a brief on the situation and what you need to do.

You may get an email from your host about this if they have active security scanners.

It will take a WordPress update to fix it and they are already working on that.

If you have auto updates turned on (unless you changed code to turn it off) the WP security update will be auto installed for you.

If you use a plugin for email from your site, (like one with SMTP and an outside service) it will not be affected by this exploit.

Also, a hacker would have to get control of the sending address (yours) to be able to actually run the exploit. So, that’s probably never going to happen.

What You Should Do

If you haven’t updated to WP 4.7, you may want to do that now.

I don’t know if a security patch will be available for WP 4.6 or not, but usually when something like this happens so close to a major release date, they do patch for both.

If you’ve already updated to WP 4.7, just sit tight and let the WordPress auto update take care of this for you.

More Info

Here’s a link with more info from WordFence.

There is also a post on Hacker News, but I’m not sure they are keeping it as up to date as WordFence.

TwitterFacebookGoogle+PinterestLinkedinReddit

Filed Under: Security, WordPress

About MaAnna Stephenson

MaAnna is a geek who can still speak in plain English and helps non-geeks create sites that get noticed by search engines and readers, are secure, plus convert, and perform well.
Connect with MaAnna online

What Every Site Owner Should Know could save you hundreds of dollars and months of frustration. Free with subscription to BlogAid News.



BlogAid News

What Every Site Owner Should Know could save you hundreds of dollars and months of frustration. Get it free with your subscription to BlogAid News.


Hi! I'm MaAnna, and I'm a geek who can still speak in plain English. I help non-geeks become confident, successful owners of sites that are secure, perform well, and get noticed by search engines and readers. How May I Help You?

Let’s Connect Online

Looking for Something?

Search by Category

BlogAid News

What Every Site Owner Should Know could save you hundreds of dollars and months of frustration.

Get it free with your subscription to BlogAid News.


   

From the Blog

  • Tips Tuesday – Changes to GDPR, MediaVine, Cloudflare, SEO, PHP 7.2
  • Tips Tuesday – Live Site Speed Tests, Speed Workshop, Sizzling About Us Page
  • Tips Tuesday – Ultimate Speed, Cloudflare DNS Resolver, WordPress 4.9.5 Release
  • Tips Tuesday – Yoast 7.1 Tutorials, GDPR, SSL Authentication, Site Speed
  • How to Delete Old XML Sitemap from Google Search Console

© Copyright 2018 Blog Aid · WordPress for Non-Geeks · All Rights Reserved

Disclosure: Some of the links on this website may be affiliate links. When you make a purchase from these links, I earn a small commission.

While commissions allow me to keep this site 100% free, I only endorse products I trust and use for myself and clients.