UpdraftPlus is a premium WordPress plugin that automates WordPress file and database backup as well as restoration to the cloud. The free version prior to 1.9.51, and versions without the “automatic backups” or “no adverts” add-ons, are vulnerable to security token, or nonce, disclosure which allows malicious actors outside your company to perform administrative-level actions like downloading sensitive configuration files and uploading remote control shells.
What should you do as a WordPress and UpdraftPlus user?
SiteLock protects WordPress site owners from the UpdraftPlus vulnerability with the SiteLock TrueShield web application firewall with Virtual Patching, regardless of UpdraftPlus version. TrueShield analyzes site traffic and stops attempted unauthorized security token use, again, even before the patch is applied.
If you don’t have SiteLock, you’ll need to update UpdraftPlus to version 1.9.51 as soon as possible. With disclosure, automated attacks follow, and without a firewall like TrueShield, or SiteLock’s SMART scanner which finds malicious code as soon as it hits your site, updates are your best defense.
For more information on SiteLock security solutions call 877.563.2791.