Major WordPress Plugin Flaw Puts Over 4 Million Sites at Risk

So I just came across this WordPress vulnerability and it looks pretty serious. The ‘Really Simple Security’ plugin (formerly Really Simple SSL) has a flaw that lets attackers bypass authentication and get admin access. Apparently, it affects over 4 million websites.

The issue (CVE-2024-10924) was patched in version 9.1.2, but if you’re using anything between 9.0.0 and 9.1.1.1, your site might be at risk. WordPress is even pushing automatic updates because of how bad it is.

If you have this plugin, have you updated yet? Anyone seen any attacks happening?

Wow, I use that plugin on several sites. Glad they’re forcing an update, but how do I check my version?

Nate said:
Wow, I use that plugin on several sites. Glad they’re forcing an update, but how do I check my version?

You can check it by going to your WordPress dashboard, then Plugins > Installed Plugins. Look for ‘Really Simple Security’ and check the version number.

@Toby
If my site is set to auto-update, do I need to do anything?

Luca said:
@Toby
If my site is set to auto-update, do I need to do anything?

Probably not, but I’d still check just to be sure. Sometimes updates don’t go through immediately.

This is the second big WordPress vulnerability this week. First WPLMS LMS, now this?

Vesper said:
This is the second big WordPress vulnerability this week. First WPLMS LMS, now this?

Yeah, the WPLMS issue was also bad. It let attackers delete the wp-config.php file, which could give them full control of a site.

@Toby
Wait, what happens if wp-config.php is deleted?

Clarke said:
@Toby
Wait, what happens if wp-config.php is deleted?

Basically, WordPress thinks it’s a new install and lets someone set up the site from scratch. If an attacker does it, they can link it to their own database and take over.

@Toby
That sounds terrifying. Is there a way to prevent it?

Fern said:
@Toby
That sounds terrifying. Is there a way to prevent it?

Lock down file permissions so wp-config.php can’t be deleted. A security plugin like Wordfence can also help detect weird activity.

Are there any signs to watch for if a site has been hacked because of this?

Yan said:
Are there any signs to watch for if a site has been hacked because of this?

Check your user list for unknown admin accounts, look for any unexpected site changes, and monitor traffic for unusual spikes.

@Toby
I also recommend setting up alerts for logins from unusual locations. Can help catch weird activity early.

If WordPress forced an update, why are people still worried?

Sage said:
If WordPress forced an update, why are people still worried?

Not every site gets auto-updates immediately. Some might be delayed or have updates turned off.

Toby said:

Sage said:
If WordPress forced an update, why are people still worried?

Not every site gets auto-updates immediately. Some might be delayed or have updates turned off.

Good point. I just checked and my version was still outdated. Updating now.

Does this mean I should stop using ‘Really Simple Security’ altogether?

Kieran said:
Does this mean I should stop using ‘Really Simple Security’ altogether?

Not necessarily, but if a plugin has had a security issue like this and the devs don’t respond fast, it’s a bad sign.

@Toby
Might be worth looking for alternatives if you don’t want to take chances.