Your WordPress Website could be hacked with just 1 commentAccording to an article by Swati Khandelwal entitled “Hacking WordPress Website with Just a Single Comment“, it is possible to hack a WordPress website with just a single comment!  Apparently, if an unscrupulous individual places JavaScript within a comment, it is possible to have the malicious code executed by just hovering over the comment – whether you approve it or trash it.  “

[T]he malicious code will be executed without giving any indication to the admin.”  Malicious code could allow the change of an administrator’s password or the creation of a new user with administrator privileges.

The vulnerability affects the WordPress versions 3.9.3, 4.1.1, 4.1.2, and the latest WordPress version 4.2. WordPress has addressed the vulnerability with the recent release of version 4.2.1 on Monday, April 27, 2015.  A second update to the WordPress engine was released last night.

“This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately,” the WordPress team said of the latest version.

Upon reflection and consultation with conversation with colleagues, 3Planets – Internet Solutions STRONGLY recommends that you install the plugin “Peter’s Literal Comments” to prevent any such attack on your website – even if you do not allow comments on your website.  Peter’s Literal Comments converts single quotes, double quotes, the less than symbol (<), the greater than symbol (>), and ampersands (&) to HTML entities whenever a comment is posted, so that they are displayed as-is when someone views the comment.

This plugin is small, has a low overhead and is elegant.  To read more about this security flaw check out the article “Hacking WordPress Website with Just a Single Comment“.  To get the full description for Peter’s Literal Comments, visit his plugin page How to disable HTML in WordPress comments.