Critical Security Update – Duplicator Plugin
It has over 15 million downloads including in Ireland.
Another day, another critical security issue. Without trying to be alarmist, I have to say that no one can 100% guarantee web security. The WordPress ecosystems is made up of small single developers and large enterprises. And with this software, hackers (although mostly bots) do not discriminate. And no one is ultimately immune. I will go into security in more depth in a later post.
There is currently an active attack on sites with the plugin running versions less than 126.96.36.199
For now, lets talk about Duplicator. It is a very popular site migration tool available for free. Basically if you are moving your site or want to back it up, the tool creates a copy (or clone). It is very useful for developers and overall a respected plugin. However there is currently an active attack on sites with the plugin running versions less than 188.8.131.52. It enables malicious individuals to download your website in full, including core WordPress files. The danger in this is it can give hackers a head start in gaining access to your database. If you have customer data on your website, this is a huge liability!
if you have given out access to your site to 3rd parties, make sure they haven’t left any unwanted plugins behind.
The plugin developer have responded and patched the issue, so you should update immediately. A word of caution. A client of ours recently required access to be given to a 3rd party for development purposes. The 3rd party installed duplicator on the website but did not deactivate it. So if you have given out access to your site to 3rd parties, make sure they haven’t left any unwanted plugins behind.
Not sure where to start? Why not download our guide “Five Essentials for Keeping Your Website Safe” on our Care Plan page.