Popular WordPress SEO Plugin Vulnerable to Injection Attacks

Yoast LogoSEO by Yoast, a popular WordPress plugin used by many podcasters was found to have a bug that left the software vulnerable to SQL injection attacks. If the exploit were executed, an attacker would be able to take over an entire WordPress installation. From the Threatpost article linked above:

Vulnerable versions of the service are susceptible to arbitrarily executed SQL queries, in part because it lacks proper cross-site request forgery protections. If the attacker were able to trick an authenticated administrator, editor or author into following a link to a malicious page, the attacker could then create an admin role for himself and totally compromise affected sites.

While it’s impossible to know how many WordPress sites are running the infected plugin, the SEO by Yoast page on the WordPress plugin directory shows that the software is currently actively installed on over one million sites. In order to fix the vulnerability on your own WordPress site, ensure that you’re running version 1.74, which is the latest version of the Yoast plugin. (If you’re running an older version of the plugin, the WordPress dashboard should notify you of an available update the next time you log in.)

And regardless of which plugins you use, it’s always important to make sure all of them (as well as your core WordPress files) are always kept up to date. It’s the best way to safeguard your site against these kinds of issues.

Create Easy 301 Redirects Using the Yoast SEO Plugin

Yoast LogoSometimes, you may need an easy way to create a URL on your podcast site that automatically forwards to another location. For example, instead of simply asking your listeners to visit your iTunes listing by searching for your show inside of iTunes, you could simply tell them to go to example.com/itunes (example.com being replaced by your own URL, of course) instead. You can achieve this by setting up a 301 redirect on your website. The redirect will automatically tell a web browser to go from your specially crafted URL to wherever you’ve sent the redirect.

301’s are usually added to your website’s htaccess file, depending on what type of software your site is running. I use WordPress for all of my podcast sites, and all WordPress installations include their own htaccess files.

Htaccess files may be difficult to find with typical FTP clients. You may need to alter a client’s view settings or you may need to access your server’s control panel to get to the htaccess file. This may be annoying, but it’s actually a good thing as you can do some serious damage to your site if you were to accidentally delete or damage the htaccess file. But you can easily gain access to your site’s htaccess file by using the free Yoast WordPress SEO Plugin.

Continue reading