[Wolfgang Hoeschele]

Hello, Is the heartbleed issue that’s being reported in the news relevant to WordPress/Buddypress sites? I hope others on this list understand this issue better than I do!

[Helene Finidori]

Hi Wolfgang. Thanks for asking this question. Yes indeed, it would be interesting for everyone to know. Friends, we would appreciate your insights.

Here is an article I found about Heartbleed and WordPress: http://digitalchild.info/

It seems the answer is not obvious.

[Boone Gorges]

If your WP site does not use SSL, you’re not directly affected by the bug. If you have the openssl package on your server, it’s still a good idea to update it, of course.

If you *are* using SSL – some of your WP pages are accessible over HTTPS – you should do the following immediately:

1. Upgrade to the latest openssl immediately
2. Regenerate your SSL certificate key. Contact your SSL vendor and/or webhost for more information on this process

Changing your salts as defined in wp-config.php, as suggested in the digitalchild.info article, is an easy and responsible thing to do.

I don’t recommend deleting all your users’ existing passwords. This is likely to result in a support nightmare, as users have a tendency to run into difficulties with the Reset Password tool. If you would like your users to change passwords, consider a plugin like http://wordpress.org/plugins/force-password-change/.

[Author]

Posts