It’s been about 24 hours since our last announcement and about 48 hours since the first report of any issues (Check here for the original post) .
Where things currently stand:
So far we have only see Child sites running version 2.0.26 or lower affected.
The first report came in about 4 days after the release of the security fix and still only affects un-updated sites.
Update: Septemeber 9th
We have found that the malicious file makes it look like you are running MainWP Child 2.0.27 even if you are on a lower version so be sure you are running 2.0.28 or higher.
What we are currently doing:
Releasing the WordFence Extension for free so you can watch and clean up any child sites that may get affected. This help doc will go over how to get and run the WordFence Extension including restoring original files.
We have reached out to the WordPress Security email asking for feedback and a possible force upgrade for users who still have not updated.
Manage all your WordPress sites with the MainWP Dashboard
WordPress Management for Professionals
Are you ready to go Pro?
All MainWP Pro Extensions are available through one of our convenient bundled packages.
Requesting that MainWP users set MainWP as a trusted auto-update plugin in their Dashboard so the plugin auto-updates within 24 hours of a release. Check this help doc on how to set up MainWP as a trusted plugin. Update: In version 2.0.28 we give users a warning and a quick add button to auto update the MainWP Child plugin.
Join the MainWP mailing list, we mailed all our list members at the release of 2.0.27 that it was an important security update and to update right away. We would love as many people to be on that list as possible .
Offering our assistance if you need any help, just submit a ticket at http://support.mainwp.com/
What we are doing for the future:
While both the MainWP Dashboard and Child code are publicly viewable and auditable on GitHub (Dashboard / Child) and are consistently being reviewed by White Hats looking for flaws in exchange for cash rewards (this how the 2.0.27 fix was put in place before any exploits were reported) we are also having a third party fully review the code base.
We’ll add the recommendation to set MainWP as a Trusted plugin to the initial MainWP setup steps to make that a more prominent suggestion for new users.