The message today to the millions of users of WordPress and Drupal content management systems: Fire up those security updates.

The web content management system (CMS) providers released security updates this week after an industry expert tipped them off to a potential attack that shuts down websites and servers running on the WordPress or Drupal engine.

Nir Goldshlager, a security researcher from's product security team, first caught the potential bug.

In a blog post, he wrote that he detected XML Denial of Service in both WordPress and Drupal. This phenomenon, he wrote, is predicated on a well-known cyber attack, known as the XML Quadratic Blowup Attack.

Complete Web Shutdown

2014-7-August-Nir Goldshlager.jpg

What does this bug do? Turns off the web lights. Completely.

WordPress, the most popular CMS in the world, powering an astonishing 47.4 percent of all sites on the Internet, according to BuiltWith, a website profiler, lead generation, competitive analysis and business intelligence tool. More than 60 million websites use WordPress, and more than one million websites are powered by Drupal. 

What should WordPress and Drupal users do immediately? Update their WordPress or Drupal, Goldshlager told CMSWire this morning.  

"If they don't want to update their WordPress or Drupal," Goldshlager added, "they can delete xmlrpc.php file from the root directory, but if they use xmlrpc.php -- most of the users don't use this xml parser -- they should update their WordPress and Drupal. So two choices here." 

WordPress, Drupal Response

WordPress announced that version 3.9.2  is now available as a security release for all previous versions.

"We strongly encourage you to update your sites immediately," WordPress officials said in their Wednesday blog post.

Learning Opportunities

Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team fixed the problem, marking the first time the two projects have coordinated joint security releases, officials reported.

Drupal officials on the same day issued a blog post that said Drupal 7.31 and Drupal 6.33 were released. It called them "maintenance releases which contain fixes for security vulnerabilities."

"Upgrading your existing Drupal 7 and 6 sites is strongly recommended," according to officials. "There are no new features or non-security-related bug fixes in these releases."

Problem Solved?

Asked by CMSWire if the potential for a website shutdown has been averted by the WordPress and Drupal security updates, Goldshlager said yes.

"I still recommend to delete xmlrpc.php if no one is using it," he said. "Not updating your WordPress or not deleting the xmlrpc.php file could lead to a DoS attack on your site and your server will be unavailable during the attack." 

WordPress and Drupal, he added, use the same XML parser called XML RPC. Each of them was vulnerable to a Remote Denial Of Service attack that could bring a site and server down.

This isn't the first security issue spotted with WordPress. Web security firm Sucuri announced a few weeks ago that it had spotted an automated attack that injected a PHP backdoor file into many WordPress sites.

Title image by Pedro Rufo (Shutterstock).