WordPress Plugs Bug that Led to Google Indexing Some User Passwords

A week after releasing v5.0 major update, WordPress has pushed the first security patch for its popular CMS service. ZDNet: Released hours ago, WordPress version 5.0.1 fixes seven security vulnerabilities (some of which allow site takeover) but also plugs a pretty serious privacy leak. The latter was found by the authors of the popular Yoast SEO plugin, who discovered that in some cases the activation screen for new users could end up being indexed by Google. With specially crafted Google searches, an attacker could find these pages and collect users' email addresses, and in some rare cases, default-generated passwords. This leak could have catastrophic consequences if the user has an admin role or if the user didn't change his default password, as is regularly advised.

Use protection, kids!

[JustAnotherOldGuy]

"With specially crafted Google searches, an attacker could find these pages and collect users' email addresses, and in some rare cases, default-generated passwords."

Another fabulous win for WordPress. (sigh)

Seriously, if you run WordPress, at least install the WordFence plugin. It's free and prevents a lot of malicious behavior from occurring. I don't know about this specific exploit, but it has stopped a ton of bot-style attacks on the few WP sites I have some responsibility for.

Install WordFence and look at the logs after a day or two- you'll be astounded (and horrified) at the level of malicious activity it catches and stops.

(And in case you're wondering, no, I have no connection or financial interest whatsoever in WordFence, I'm just a fan).