WordPress backup plugin maker Updraft says “You should update”…

WordPress plugins need to be kept up-to-date just as keenly as WordPress itself…

…especially if those plugins are designed to help you look after the entirety of your WordPress site data.

That’s why we thought we’d write about a recent warning from the creators of Updraft and Updraft Plus, which are free and premium plugins respectively that are dedicated to backing up, restoring and cloning WordPress sites.

As you can imagine, a security bug in a backup plugin that could allow an attacker to download a site backup without authorisation means, in theory, that your entire site, and all its accompanying data, could end up getting stolen in one go.

That, apparently, is the nature of CVE-2022-23303, a bug found and reported in the Updraft plugin by a security researcher at Automattic, the company behind the WordPress brand.

You can verify the connection between WordPress and Automattic from this site: we’re hosted by WordPress VIP [2022-02-22], as you can see by looking at the headers of our web replies (X-Powered-By: WordPress VIP <https://wpvip.com>); and then by looking up the administrative and technical contacts for the wpvip.com domain in the Whois database (Admin and Tech Org: Automattic, Inc.).

High-quality response

Actually, as well as acting as a gentle reminder to Updraft users to make sure they’re up-to-date (at the time of writing: 1.22.4 for the free version; 2.22.4 for Premium users), we thought we’d cover this patch as a positive example of how to deal with a cybersecurity flaw.

In our opinion, Updraft got several important things right in the update bulletin that it published on its blog:

  • The report was timely. The patch was available and written up within two days of the bug being responsibly disclosed by Automattic.
  • The report didn’t mince its words. The opening paragraph states, “The short version is: you should update. To get the details, read on.”
  • The report described the bug in plain English, and was clear about the risk posed. Simply put, any authorised user of your site, even one who usually only uploads articles for editing and approval by others, might be able to clone your whole site, including making off with all your non-public data.
  • The company offered a credible apology. Rather than leading with weasel words about how the bug wasn’t in the wild, or talking it down by emphasising that it didn’t allow totally unauthenticated access, the report explained the situation first, reiterated the importance of updating anyway, and presented its apparently genuine regret at the end.
  • The report was written by someone in the know. Rather than leaving the published verbiage to PR or marketing, the report was written by one of Updraft’s lead developers.

Try reading our satirical take on data breach notifications, written as a humorous article a few years ago, and then comparing it with Updraft’s security report.

We think you’ll agree that following up a cybersecurity blunder by telling the simple truth in plain English is not only genuinely helpful, but also more likely to persuade your customers to trust you in the future.

If nothing else, an open and explanatory security report shows that you’ve actually learned something positive from the incident, and thus reinforces any claims you may make about doing better next time.

What to do?

  • If you’re an Updraft or Updraft Premium user, make sure you have at least version 1.22.4 or 2.22.4 respectively. Even if you consider yourself low-risk through having no or few unprivileged users to worry about, update anyway. As Updraft correctly points out, although an active attack would depend on “a hacker reverse-engineering the changes in the latest [..] release to work it out, […] you should certainly not rely upon this taking long, but should update immediately.”
  • If you run a website of your own, whether it’s based on WordPress or not, practise how you would respond if you came across a data-threatening bug like this one. Preparing how you would respond if you were to fail is not the same as simply preparing to fail. In fact, being aware of the work you’d need to do in the event of a critical bug or a data breach is a good incentive for learning how to defend against such problems in the first place.