WordPress MailPoet Plugin Security Issue and Password Best Practices

As you may have read, the popular WordPress plugin, MailPoet, has a vulnerability that allows a potential hacker to upload PHP files to the server and execute them. In a few cases, this vulnerability has been used against Magento software that resides on the same server.

We recommend that all Magento merchants using WordPress immediately update the MailPoet plugin to remove this vulnerability. More information about this update is available on MailPoet’s blog. You should also review your server logs for anything that might be out of the ordinary.

While we’re on the topic of security, please take a moment to confirm that you’re following best practices with regard to your Admin passwords. We encourage all merchants to use strong Admin passwords and to change them often. It is possible for attackers to take advantage of weak, or leaked passwords, and gain access to your system to install extensions with malicious code. Additionally, be sure to disable remote access to Magento Connect Manager and Downloader on production sites, or restrict access to safe IP addresses. Regularly check your list of extensions and logs for suspicious activity.

The safety and security of our merchants is our top priority, and should be yours, also. We will continue to identify and communicate potential security issues, so you can take the steps necessary to reduce your vulnerability.

To stress the importance of following best security practices, we want to make sure that you are aware of a recent attack that was reported by Nexcess. Visit their blog to learn more about the exploit they discovered, and how to respond to it.