JetPack XSS Security Issue - What We Did to Protect You

jetpack

On October 1st, a security issue in JetPack, one of the most commonly used WordPress plugins, was disclosed by our partners from Sucuri. The vulnerability was severe because an attacker could exploit the contact form feature of the plugin to insert and execute JavaScript code as an admin of your site. Needless to say, that could lead to all sort of problems – injecting black SEO links, adding backdoors for full access to your account, accessing private information, etc. In this recap post, we would like to summarise what we did to protect SiteGround users with this plugin installed.

Added a Rule in Our WAF to Prevent Exploiting the Vulnerability

Our security team acted immediately on the day the vulnerability was announced and added a special rule to block hacking attempts trying to utilise this exploit in our web application firewall. Basically, we started blocking all requests that match a pattern crafted by our security team. Of course, before applying this firewall rule, we did enough testing to make sure that no real requests to our customers’ sites will be blocked, just the malicious ones. However, doing this does not fix the core of the problem, but simply prevents attacks that try to gain unauthorised access to our customers’ sites through this security hole.

Updated the JetPack plugins of our clients

After the disclosure of the vulnerability, the Automattic team that developed JetPack has released an update for the plugin. Since we do not like leaving security holes unresolved, we notified all our clients using Jetpack that their plugins would be updated. And just a few days after the disclosure, we had updated 95% of all outdated JetPack plugins on our shared servers. About 5% of the attempted upgrades were unsuccessful, in which case we offered additional assistance to the affected owners.

Access email sent!

Sign Up For
More Awesome Content!

Subscribe to receive our monthly newsletters with the latest helpful content and offers from SiteGround.

Thanks!

Please check your email to confirm your subscription.

Hristo Pandjarov

Product Innovation Director

Enthusiastic about all Open Source applications you can think of, but mostly about WordPress. Add a pinch of love for web design, new technologies, search engine optimisation and you are pretty much there!

Comments ( 5 )

author avatar

Erik Joling

Oct 13, 2015

I wasn't affected because i don't use Jetpack, but I like the way Siteground is proactively trying to protect our websites. Thanks!

Reply
author avatar

Darko

Nov 10, 2015

SiteGround. On top of it all - as always :)

Reply
author avatar

tom

Nov 10, 2015

Keep up the great work. As always. Thank you!!

Reply
author avatar

Freyja W.

Nov 10, 2015

Wonderful - thank you! When anyone asks me I say use Siteground of course. The best!

Reply
author avatar

Hristo Pandjarov Siteground Team

Nov 30, 2015

Always doing our best to protect our customers without interfering with their data!

Reply

Start discussion