Hoping Bluehost Doesn't Corrupt UpdraftPlus Premium Installs

This topic has 7 replies, 2 voices, and was last updated 9 years, 11 months ago by udadmin.

Viewing 8 posts - 1 through 8 (of 8 total)

Author

Posts
February 11, 2015 at 9:46 pm #89562

Bob
Participant

I have multiple clients on Bluehost running UpdraftPlus Premium. They’re all currently on version 1.9.52.19. They’ve all just received emails similar to the following:
========================================
Dear XX,

A new version (1.9.51) of the WordPress plugin Updraftplus Backup and Restoration has been released. A recent hack was found in older versions of this plugin that allows an attacker to upload files on the target server, download the site’s backups and retrieve WordPress Secret Keys (no authentication required).

Over the next 48 hours we will be making every attempt to upgrade your Updraftplus Backup and Restoration plugin to the most recent version 1.9.51.
========================================

Based on some past experiences, I’m a bit concerned they’re going to run a script that bulldozes through all the sites they’re hosting which doesn’t take into account the existence of UpdraftPlus Premium–resulting in downgrades and/or corrupted installs. Would you mind checking with them just to make sure they don’t do anything stupid?

Thanks.

February 11, 2015 at 9:48 pm #89564

udadmin
Keymaster

Hi Bob,

Sounds rather like they could have done… I don’t have any special line to Bluehost… since they say “Over the next 48 hours”, I’d recommend contacting them asap…

David

February 11, 2015 at 9:50 pm #89565

udadmin
Keymaster

BTW… “the most recent version 1.9.51” – hasn’t been the most recent version since last Friday. Also worth noting that the Premium version wasn’t vulnerable, and doesn’t require an update to be secure.

Best wishes,
David

February 11, 2015 at 10:13 pm #89572

Bob
Participant

>> Also worth noting that the Premium version wasn’t vulnerable, and doesn’t require an update to be secure. <<

I know that, but I’m not sure they do.

I’ll try and contact them later today when I have time to wait for tech support. But my past experience is it takes time for that kind of feedback to bubble up from first level support to the decision makers, and by then it will likely be too late. Fingers crossed…

Thanks.

Bob

February 11, 2015 at 11:05 pm #89582

udadmin
Keymaster

BTW, this is also wrong: “(no authentication required).” Exploiting the problem, as both ours and Sucuri’s advisories stated, required the hacker to have a valid login.

I’ll try to send a contact using whatever I can find on their website, in case that helps… it’ll be no fun for anyone if they remove anyone’s paid version (which, as mentioned, in the Premium version isn’t vulnerable anyway).

Best wishes,
David

February 11, 2015 at 11:16 pm #89588

udadmin
Keymaster

Hi Bob,

I can’t find a way to contact Bluehost online without having a Bluehost account… so you’ll have to do your best, I’m afraid…

David

February 12, 2015 at 2:53 am #89650

Bob
Participant

OK, Bluehost tech support said they won’t “update” the plugin if it’s version 1.9.52, which the rep now understood (incorrectly) to be the Premium version. I tried to explain that the Premium version is a separate product and they shouldn’t include it in their auto-updates regardless of version number, but I don’t think he ever got it. But at least–assuming what he told me really represented what the higher-ups are going to do–if the version is 1.9.52, they’re not going to attempt to “update” it to 1.9.51 free.

February 12, 2015 at 9:50 am #89735

udadmin
Keymaster

Hi Bob,

Paid versions have four parts in the version number – e.g. 1.9.50.19. What they should be doing is not touching any version that has four parts in the version number.

Best wishes,
David
Author

Posts

Viewing 8 posts - 1 through 8 (of 8 total)

The topic ‘Hoping Bluehost Doesn't Corrupt UpdraftPlus Premium Installs’ is closed to new replies.