All Systems Operational
- KrakenGeek.com Speed Audit, 1/18/23
Security Issue Identified
Status: Workaround Already Implemented
Updated: 12/30/2022 at 5:15 PM PST
We received an alert indicating that WordPress 6.1.1 has an Unauthorized Blind SSRF vulnerability that has no patch available. All of our WordPress clients are running WordPress 6.1.1, so they are affected by this. No action was however needed by us because we already actively disable access to XML-RPC for all of our clients, which is an effective workaround preventing compromise via this vulnerability. As a result, risk to our clients is minimal. When an update is available we will deploy it to all clients.
Updated: 12/17/2022 at 6:00 PM PST
Scan via SSLLabs.org showed that KrakenGeek SSL grade dropped from A+ to A. A good grade, but it doesn’t meet KrakenGeek’s standards. After some investigation, we discovered HSTS was set to one minute (for testing purposes, leftover from the move from old to new server). HSTS was increased to six months. A rescan showed the grade as having increased back up to A+.
PenTest also was completed for KrakenGeek.com and all clients, no issues were identified.
Move to New Server, Terminate Old Server
Updated: 11/6/2022 at 4:57 PM PST
The old server had an old OS that was no longer being maintained which necessitated upgrading to the most recent LTS version of the OS. We were able to create a new server meeting the requirements and successfully moved all clients to the new server. We monitored all clients after move and were able to confirm no further issues after 30 days. The old server has been permanently terminated.