UpdraftPlus Security Vulnerability Revealed

Is your WordPress website safe? Over 3 million websites compromised due to UpdraftPlus Plugin vulnerability

A severe vulnerability which allows hackers to download usernames and hashed passwords has been identified by security researcher Automattic. The issue has the potential to impact the millions of websites using the popular WordPress backup plugin, UpdraftPlus.

The extremely popular UpdraftPlus is a backup plugin that’s actively installed in over 3 million websites. The plugin allows WordPress administrators to back up websites in case of errors. The backups include sensitive data such as user credentials and passwords – data which is now at risk.

So what happened?

Two previously unidentified vulnerabilities were discovered during a routine audit conducted by security researchers at Automattic.

The first issue relates to how the UpdraftPlus security tokens can be leaked, allowing an attacker to obtain a full website backup. It goes without saying that this is bad news.

According to WordPress, cryptographic nonces – the security tokens utilised by UpdraftPlus – should never be the main line of defence against hackers. Functions should be protected by properly validating whether any given user has the proper credentials. UpdraftPlus fails in this regard.

The second vulnerability is concerning the improper validation of a registered user’s roles. This allows a hacker with the data gained from the previous vulnerability to download all sensitive information contained on the website.

To say this is a huge security concern is an understatement.

What should I do?

If you use UpdraftPlus, you should get in touch with us immediately for a free plugin audit. We can help you to take the necessary steps to secure your website and customers’ sensitive data before a breach occurs.

Plugin audits should be a regular check for any website owner. Remember, all plugins are third party applications and come with an inherent security risk. Whether it’s a vulnerability to hackers, or simply an update which causes an incompatibility that breaks your website, you need to be ready to act. Your business might depend on it.


Read the Jetpack Announcement

Severe Vulnerability Fixed In UpdraftPlus 1.22.3

Read the UpdraftPlus Announcement

UpdraftPlus security release – 1.22.3 / 2.22.3 – please upgrade

Back to blog list

About the Author

Owen Gaudion - technical seo developer

Owen G

Technical SEO Account Manager

Owen’s day to day jobs include ensuring our SEO client websites are meeting Google’s performance criteria, assisting with website changes and creating monthly Core Web Vital reports to ensure we are always driving our clients’ websites in the right direction!

He has been in the marketing industry since 2017 but his passion for SEO and development started long before. He has been developing websites and helping businesses with their online presence since he was 16.

Owen is a keen football fan and enjoys traveling around the country to watch football. So far, he has gone 3,429 miles to watch his team, Portsmouth, play away.