The web has been alight with the heartbleed vulnerability. If you’ve only heard of it in passing, listen up. This one is a biggie.
The bad news – it affects a lot of web servers. If you have a website, there’s a good chance the server could be vulnerable. If you’d like to check your own servers, you can go to Flippo.io/Heartbleed. Before going too deep, let’s understand it.
What is Heartbleed?
I’m no systems security expert and I may not do a great job explaining this. I’ll let someone a whole lot more qualified than me – Elastica’s CTO Dr. Zulfikar Ramzan -explain in the video below. Please do take time to view it. It isn’t all that long and it is that important.
What You Can Do
First, don’t panic. Depending on how swift your web host is on these issues – it may already have been taken care of for you.
For the most part, if you’re on shared hosting. There’s nothing you can do to patch this. This is a patch that has to happen on a much higher level and as a shared host account holder, you simply don’t have the permission/access levels to do this. Still, I would check with the web host to see what they are reporting about this. Most reputable web hosts would have made an announcement and updated you about it already.
Typically, this should also apply for VPS and dedicated account holders although you have the ability to patch it if you wanted to. Most times, the host will be the one to do this because they want to run clean systems too. Again, I’d double check with the host.
What About Your Site Users & Customers?
This issue is highly publicized for good reason. It’ll probably continue to be talked about for many days or weeks to come. There’s a good chance your customers would have heard of it. Even so, I think it’s not a bad idea to keep your people in the loop. Tell them if and when your server will be patched. By the way, I spent the day, verifying the update and refreshing our secure certificates.
Also as a safety precaution, it would be a good idea to get people to change their passwords.
If you use WordPress and have multiple users, you can “kick out” users by simply changing the salts. If you don’t know what this is, please ask a qualified WordPress consultant to help you with it. Changing the salts will force people to log in again. It won’t force people to change their passwords though. To do that, try a plugin like Force Password Update. You can force people to update when they log in and on a set interval after.
On A Personal Level
If you haven’t changed your passwords to sensitive sites in a while, this is a good time to do so. Make sure you don’t use the same password as you use anywhere else. Try this technique for something secure and still human readable.
Good luck and stay safe!