In the modern world of the Internet, software bugs are incredibly hard, if not impossible, to completely avoid. Generally these bugs are pretty benign: a page may not load, might be displayed incorrectly, or maybe the site is just completely down. Sure, those are major inconveniences, but the sites still exist and are safe from malicious hands.
What happens, though, when one of these bugs isn’t so benign and turns out to be a full-on vulnerability? Or worse, a vulnerability that allows unapproved access to execute code on your server? These situations shouldn’t be taken lightly, especially if the vulnerability exists on a server running your clients’ WordPress sites. On the rare occurrence this does happen, a hacker could wreak havoc on your clients’ sites and servers. The best way to protect them is with a hosting environment that automatically applies patches for critical server vulnerabilities, like our Managed WordPress Hosting. Let’s take a look at one example of a recent vulnerability that could have affected our customers, if we hadn’t been standing by ready to act.
The Great Glibc Debacle of 2015: Buffer-Overflow
In 2015, an OpenSSL vulnerability was discovered that affected Linux and Unix-based servers. It was a result of a bug in the glibc package necessary for many Linux and Unix-based programs to function. The vulnerability could potentially allow a clever 3rd party to remotely execute code on the server. The bug which exposed this vulnerability in glibc was introduced into the code sometime in 2008 and had been present since version 2.9. However it wasn’t reported in the glibc bug tracker until July 2015 and met with little traction or attention. It’s important to point out here that the full scope of the bug was not understood at the time.
It wasn’t until February 2016 that an engineer at Google discovered this bug. During his investigation, he discovered it was caused by glibc and could allow remote code execution. This was a huge security risk! Since the main bug that created this issue was actually in Glibc, and Glibc is used by a wide variety of Linux programs and utilities, there were multiple Linux programs affected by the vulnerability – meaning a wide range of customers would be affected. Luckily, with some collaboration between the Engineers at Google and RedHat they were able to complete a patch to protect glibc users.
The Fallout and Our Response
For this particular vulnerability, the potential exposure for customers if left unpatched is huge – tens of thousands of server instances could be controlled by hackers. Having a patch available is only part of the battle, though; if it wasn’t installed and applied properly, servers would still be vulnerable to exploitation and remote code execution.
Normally applying a patch means you have to log in to every server with affected Glibc versions (which is almost all of them), run software updates, confirm the package was updated, and finally reboot each server to ensure the patch is fully effective. Thankfully for any Liquid Web customer with Managed WordPress Hosting (and all of our fully managed products), that’s not the case. We were able to proactively patch and reboot servers in an automated manner, meaning we kept your servers and services secure quickly and without any action on your part.
OpenSSL Vulnerabilities No Match for Managed WordPress Hosting
Security issues and vulnerabilities can occur on any of the various levels of your web infrastructure. While it’s most common that these issues will occur at the level of your WordPress site, themes, or plugins, they do happen at lower levels from time to time. This is something easy to overlook, but very important to keep in mind. A product like our Managed WordPress Hosting provides not only automatic WordPress core updates, but also the full power of our 24/7/365 Heroic Support® standing at the ready to patch your server. Our Managed WordPress Hosting can make these updates effortless, so that you can enjoy peace of mind and ensure happy, secure customers.
Want WordPress without the hassle? Check out WordPress Without Limits, a managed WordPress solution, with one-click staging, one-click backup restoration, automatic updates, automatic backups, and free SSL.