{"id":267,"date":"2014-04-09T23:50:06","date_gmt":"2014-04-09T23:50:06","guid":{"rendered":"https:\/\/digitalchild.info\/?p=267"},"modified":"2014-04-09T23:50:06","modified_gmt":"2014-04-09T23:50:06","slug":"heartbleed-vulnerability-and-wordpress","status":"publish","type":"post","link":"https:\/\/randomadult.local\/heartbleed-vulnerability-and-wordpress\/","title":{"rendered":"Heartbleed Vulnerability and WordPress"},"content":{"rendered":"
Unless you’ve been under a rock for the last day and a half you would have heard something about the latest OpenSSL vulnerability\u00a0called Heartbleed<\/a>. This article is going to help anyone that cares about the heartbleed vulnerability and WordPress SSL. What this vulnerability\u00a0allows is for an attacker to steal information that is usually nice and tightly guarded behind your SSL certificates. They are able to get passwords, the private key that secures your SSL certificate that is\u00a0in your servers memory and other information leaving no trace. This is very bad. Now I run a lot of WordPress websites and use SSL certificates for access to the admin area and for all user logins, you do too right, right?<\/p>\n You can check if you’re vulnerable by using the following tool developed by Filipp Valsorda at \u00a0http:\/\/filippo.io\/Heartbleed\/<\/a><\/p>\n Almost all major operating systems that are vulnerable have already released patches for this and unless you’re with a dodgy web host they would have applied the patch by now. This is great however due to the fact that there is no way of knowing if there has\u00a0been an attack\u00a0you should generate a new SSL certificate and have that installed. You will then need to force all your users to log out and change their passwords.<\/p>\n You will need to force everyone to logout and then force them all to change their passwords.<\/p>\n Force Logout<\/strong><\/p>\n In WordPress it is actually very easy to force all your users to log out by changing the security keys stored<\/a> in your wp-config file. You can read how to do this here.<\/p>\n What you’ll need to do is open the wp-config.php file on your wordpress install and locate the lines that look like this.<\/p>\n\ndefine( 'AUTH_KEY', 't`DK%X:>xy|e-Z(BXb\/f(Ur`8#~UzUQG-^_Cs_GHs5U-&Wb?pgn^p8(2@}IcnCa|' );\ndefine( 'SECURE_AUTH_KEY', 'D&ovlU#|CvJ##uNq}bel+^MFtT&.b9{UvR]g%ixsXhGlRJ7q!h}XWdEC[BOKXssj' );\ndefine( 'LOGGED_IN_KEY', 'MGKi8Br(&{H*~&0s;{k0\ndefine( 'NONCE_KEY', 'FIsAsXJKL5ZlQo)iD-pt??eUbdc{_Cn<4!d~yqz))&B D?AwK%)+)F2aNwI|siOe' );\ndefine( 'AUTH_SALT', '7T-!^i!0,w)L#JK@pc2{8XE[DenYI^BVf{L:jvF,hf}zBf883td6D;Vcy8,S)-&G' );\ndefine( 'SECURE_AUTH_SALT', 'I6`V|mDZq21-J|ihb u^q0F }F_NUcy`l,=obGtq*p#Ybe4a31R,r=|n#=]@]c #' );\ndefine( 'LOGGED_IN_SALT', 'w<$4c$Hmd%\/*]`Oom>(hdXW|0M=X={we6;Mpvtg+V.o<$|#_}qG(GaVDEsn,~*4i' );\ndefine( 'NONCE_SALT', 'a|#h{c5|P &xWs4IZ20c2&%4!c(\/uG}W:mAvy<i44`jabup]t=]v<`}.py(<span class="hiddenSpellError">wTP%%' );\n\n<\/pre>\n