Sucuri disclosed the minor bug to us on Aug. 19 and it was promptly and properly fixed and tested on the same day, with the fix being shipped today for you.
Updating to iThemes Security version 4.3.9 (free) or iThemes Security Pro version 1.6.12 will implement the fix.
Background on the Issue
If using iThemes Security or iThemes Security Pro, with the username “admin” present and hide-backend feature turned off, a user could, with a specially crafted command, rename that “admin” user remotely. This could be done by executing the process undertaken by rename “admin” user feature.
What This Means for You
The only thing this bug could have done was rename the “admin” user, if in-fact you still had a user named “admin”. Essentially, all this means is that your next log in attempt would be annoying. You’d have to recover your username with your WordPress account email to log in.
- Rest assured, no data could be compromised
- Your site could not be taken offline
- No unwanted users could get in to your site
- No data of any kind could leave your site
What You Should Do
Please update to version 4.3.9 (free) or 1.6.12 (Pro) and you’re all set. That’s it.
iThemes Security Going Forward
This means we got better. It means your WordPress sites are still secure and now iThemes Security is even more user friendly.
We work day after day ensuring you have the best plugins, themes and training from iThemes.
Sucuri’s audit of iThemes Security and subsequent disclosed is very much appreciated.