Heartbleed Vulnerability and WordPress

Unless you’ve been under a rock for the last day and a half you would have heard something about the latest OpenSSL vulnerability called Heartbleed. This article is going to help anyone that cares about the heartbleed vulnerability and WordPress SSL. What this vulnerability allows is for an attacker to steal information that is usually nice and tightly guarded behind your SSL certificates. They are able to get passwords, the private key that secures your SSL certificate that is in your servers memory and other information leaving no trace. This is very bad. Now I run a lot of WordPress websites and use SSL certificates for access to the admin area and for all user logins, you do too right, right?

You can check if you’re vulnerable by using the following tool developed by Filipp Valsorda at  http://filippo.io/Heartbleed/

Almost all major operating systems that are vulnerable have already released patches for this and unless you’re with a dodgy web host they would have applied the patch by now. This is great however due to the fact that there is no way of knowing if there has been an attack you should generate a new SSL certificate and have that installed. You will then need to force all your users to log out and change their passwords.

You will need to force everyone to logout and then force them all to change their passwords.

Force Logout

In WordPress it is actually very easy to force all your users to log out by changing the security keys stored in your wp-config file. You can read how to do this here.

What you’ll need to do is open the wp-config.php file on your wordpress install and locate the lines that look like this.

define( 'AUTH_KEY',         't`DK%X:>xy|e-Z(BXb/f(Ur`8#~UzUQG-^_Cs_GHs5U-&Wb?pgn^p8(2@}IcnCa|' );
define( 'SECURE_AUTH_KEY', 'D&ovlU#|CvJ##uNq}bel+^MFtT&.b9{UvR]g%ixsXhGlRJ7q!h}XWdEC[BOKXssj' );
define( 'LOGGED_IN_KEY', 'MGKi8Br(&{H*~&0s;{k0
define( 'NONCE_KEY', 'FIsAsXJKL5ZlQo)iD-pt??eUbdc{_Cn<4!d~yqz))&B D?AwK%)+)F2aNwI|siOe' );
define( 'AUTH_SALT', '7T-!^i!0,w)L#JK@pc2{8XE[DenYI^BVf{L:jvF,hf}zBf883td6D;Vcy8,S)-&G' );
define( 'SECURE_AUTH_SALT', 'I6`V|mDZq21-J|ihb u^q0F }F_NUcy`l,=obGtq*p#Ybe4a31R,r=|n#=]@]c #' );
define( 'LOGGED_IN_SALT', 'w<$4c$Hmd%/*]`Oom>(hdXW|0M=X={we6;Mpvtg+V.o<$|#_}qG(GaVDEsn,~*4i' );
define( 'NONCE_SALT', 'a|#h{c5|P &xWs4IZ20c2&%4!c(/uG}W:mAvy<i44`jabup]t=]v<`}.py(<span class="hiddenSpellError">wTP%%' );

Use the online salt generator found here. This will output a set of new salts you can paste over the existing ones. Save the file and this will force everyone to log in again.

Force Password Change

This is also relatively easy if you are comfortable with PhpMyAdmin and SQL. WordPress won’t let someone log in if their password is blank so you can force everyone to change their password by updating ALL passwords to nothing. When a user tries to login it will deny them and they will have to use the lost/forgot password feature of WordPress to reset it.

You will need to check what your database prefix is (this is in your wp-config.php) and then run the following command in PhpMyAdmin on your wordpress database.

UPDATE wp_users SET user_pass='';

PLEASE NOTE: This assumes that your WordPress database prefix is wp, it might not be this if you are using any security plugins such as Better WP Security.