WordPress Plugin Vulnerabilities 

There are more than 1.2 billion websites on the internet and more than 25% of them are powered by WordPress.   As a framework and Content Management System, WordPress is powerful, flexible, and easy to use.  Millions of users can attest to their simplicity and stability.   For many small businesses, WordPress has enabled higher-end design and features that would be otherwise cost-prohibitive.  The WordPress core is open-source (free) and surprisingly well supported by active users throughout the world.

WordPress is certainly wonderful to build with, providing that users are aware that it requires some on-going support, maintenance, and attention.    As WordPress is updated, those updates must be applied (especially if the update is significantly concerned with security patches).   Each iteration/version of WordPress can have implications on themes and plugins which would also require them to be updated.

While WordPress itself remains free, plugins are often fee-based and licensed.  These fees give users the impression that these plugins are also supported and maintained.  In truth, that may not always be the case.   There have been a few interesting public blogs lately that bring attention to some concerns regarding plugins:

1.) WordPress.org currently lists over 50,000 active plugins on their website.  Some of these have millions of active installs and are clearly very popular.   Some of the more popular plugins have thousands of customer reviews and evaluations.

2.) According to research performed by Isabel Castillo, There are more than 3,000 plugins that have been completely abandoned by their developers.  In fact, those on this particular list haven’t been updated since December 31, 2010!  (source)

3.) Probably among the worst offenders is a plugin that has 100,000 active installations, yet hasn’t been updated since June, 2009 and another with 90,000 active installations which hasn’t been improved since May, 2009.

4.) While WordPress 4.0 was released in September, 2014, over 13,600 plugins have a compatibility tag that only meets the WordPress 3.x releases.

Plugins with Vulnerabilities

Research performed by WordFence discovered 18 different plugins that were still available for download through the WordPress.org repository, but each was suffering from a known vulnerability that have not been fixed.   Every one of these plugins had not been updated in over 2 years, in spite of their popularity and frequent use by many sites.

WordFence did a great job creating a list of these known plugins with vulnerabilities, and we’ve included it here for reference:

What if your site uses one of these plugins?

If you recognize one of these plugins from your website, you should immediately deactivate it and cease using it.   Again, these are plugins which have known and active vulnerabilities. If they are on your website, then you are absolutely at risk.  Some of these plugins (those marked with an asterisk) actually have an available update and can be removed and then updated.

You can probably locate a suitable replacement and update for these plugins.   But continue reading on before you do!

But, how did this happen?

Most likely, the plugins that are on your site were chosen for a reason.   Over time, they simply became outdated, lost support from their original developers, or were simply abandoned in favor of other plugins.   Regardless, the only real reason for this is lack of attention – by developers, by website managers, and website owners.   There’s a lot to focus on and pay attention to (so we understand how things slip through the cracks) but that’s the bottom line.

How can I avoid this in the future?

Practically every WordPress site needs plugins for one reason or another.   You probably need those plugins for specific functions that you want to have on your site.   The trick is to know how to choose good plugins in the first place and how to be selective.   Some tips to consider:

1.) Go with who you know.  Once you have a plugin developer that you trust, stick with them.   It’s hard to vet through unknown developers and those who don’t have a lot of experience.  But it’s better if you can get plugins from known developers that work hard, focus on support and have a proven track record.

2.) Check to ensure that the plugin is compatible.  The latest version of WordPress (currently 4.7.4) and check to see when it was last updated.   This information helps you to decide whether the plugin can be worthy of your confidence and trust.

3.) If the plugin is popular, there might be a reason.   How many active installs are there?  10, 20, or 20,000?  Not many plugins have millions of installations, so don’t be afraid of choosing one with less.  Being cautious is wise here though.  A new plugin clearly has few installations, but maybe you want to wait to see if other people start installing it first before you jump in.

We can monitor your WordPress website

Many of our clients are concerned that this kind of attention on their site is too complex and cumbersome for their internal teams to manage.   We offer a WordPress Maintenance package that helps protect against these kind of problems (plus others!) to help keep your website in top condition.

We actively monitor and support your website so that:

• Plugins remain updated
• Theme updates are deployed accurately
• Backups of both data files and HTML code is retained in case of problems during deployment
• Security and monitoring of the site is tracked

Probably MOST importantly, we ensure that these kind of plugins are maintained and replaced with sound alternatives when problems arise.  And, we can offer this at a price which is surprising affordable and significant value.

Interested in learning more?   Contact us today and let us share more about this helpful tool!