Critical Drupal Vulnerabilities Announced: Update Now.
A critical vulnerability is being exploited in Drupal, a popular Content Management System (CMS), since April 2018. If you run a Drupal website, please update it immediately.
About Drupal’s Critical Vulnerabilities: CVE-2018-7602 and CVE-2018-7600
Both vulnerabilities are rated Highly Critical. Hackers can exploit these vulnerabilities to gain complete access to your website and hosting account. All modern versions of Drupal are affected including Drupal 6, 7 and 8.
Information about both vulnerabilities are available on Drupal's website:
How can I secure my Drupal website?
Please update your Drupal installation to the latest available version. The upgrade process may depend on your current Drupal version and may require a developer's or technician's intervention.
Before You Update
Always back up your current installation, including files and database, before any important update.
What else can I do to protect myself?
Drupal reports that "this vulnerability [CVE-2018-7602] is being exploited in the wild." which means that there are known cases of this vulnerability having been already exploited in production environments by hackers.
This is worrying as your website could potentially be compromised without any obvious signs. More worrisome is that hackers often wait up to a year to activate the malicious code so that patches and backups are limited in their effectiveness.
WHC's SiteSafe Protection service can be used to perform a deep scan to identify any compromised installations and clean them, as well as identify hidden vulnerabilities. To facilitate and encourage its adoption, Web Hosting Canada users can benefit from a 20% discount on SiteSafe Protection this month. Use the code DRUPALSITESAFE20 when ordering to automatically receive the discount.
The Team at WHC