There are two parts to Heartbleed, the internet security vulnerability that’s dominating the headlines, in relation to owners of WordPress websites.
The first relates to the safety or otherwise of your website itself.
The second relates to third party services that interplay with your website, like email accounts, social networking sites and payment gateways.
Let’s take a deep breath, get a brief understanding of Heartbleed and then decide what we need to do to avoid it closing down our businesses.
Heartbleed in a heart beat
On the internet, web browsers, websites and other services can connect with each other in an open way or in a secured way.
While reading this article on our website you are connecting with our site in an open way. No passwords needed, just click around the site and read what you want to read.
However, when you log in to Facebook or your bank or your email online, a secure connection is used so that no prying eyes (or computers) can intercept what you are looking at.
It is like the Cone of Silence in Get Smart.
However, the software and protocols used to create many of the world’s ‘cones of silence’ has been faulty for a couple of years now and it has only just been revealed publicly.
In short, the fault lets strangers eavesdrop on, extract and record data being shared between services that was MEANT to be private.
In the world of the internet, this means usernames and passwords being captured, stored in databases, and used by crooks for use later.
It’s nought to do with WordPress it’s the way that you host it
From the perspective of my WordPress Wednesday blog, I’ll start with WordPress itself.
For our clients and for most users of self-hosted WordPress websites, Heartbleed does not pose an immediate threat because Heartbleed works at the server level rather than within your website itself.
So you should be thinking about whether or not your web hosting provider is safe.
Because a large portion of our clients have been using HostGeek web hosting and I have confirmed with them that they have applied the patch to keep their servers secure. They say:
‘A patch was applied to relation to the Heartbleed issue. I can confirm that no further changes need to be made by yourself as the issue has already been addressed across all of our shared servers. As we had applied the patch before the server was compromised a password reset was not required. However from a security point of view we always recommend changing hosting related passwords every so often if possible.’
You might see references in the media to WordPress.com websites being exposed to the threat.
That is because the WordPress.com web servers were using Open SSL and were vulnerable until they applied the patch.
If you have a WordPress.com blog, it is highly recommended that you now change your password to keep things safe.
Other web services connected to my online marketing
The last part of the article today relates to all those other services that might interact with your website.
I’m talking about your Facebook business page, Twitter account, Pinterest account, etc.
These services have been exposed but have also applied the follow up security patches which means now is the time to change your passwords in these places.
You can look through a live list of all affected and unaffected ‘major’ services compiled by Mashable, to see if you need to take action.
Some big ones include Gmail, Flickr and Instagram but the list is well worth a read.
Here is the link: The Heartbleed Hit List: The Passwords You Need to Change Right Now
If you are wondering if this is worth all the fuss, just consider what impact it would have on your business if hackers got access to your Facebook page, or email account, or Dropbox account.
Remember, too, with Facebook, you share administration rights to your company page with co-workers so make sure they update THEIR Facebook passwords as well.
My advice is to look through the list of services on the Mashable site for ones you use and take the action prescribed.
For services not in the list, email them directly with Heartbleed Advice Needed in the subject line. Ask specifically:
- Were you affected?
- Have you applied a patch
- Should I update my password(s)?
This checking process and updating of passwords needs to happen today, please, but only if the service in question has applied the patch.
A final bit of good news
Many of our clients use PayPal as a payment gateway for handling transactions on their websites.
According to the Mashable list, PayPal was never using the OpenSSL system and is therefore unaffected directly.
It kind of makes the 3.4% plus 30 cents commission worth it!