Jun 13, 2016
A warning has been issued by security researchers that around 10,000 websites that are on WordPress CMS are vulnerable because of a plugin that has a zero-day flaw. For this, we have WP Mobile Detector plugin which can be said as the source of the issue, and this also contains a zero-day vulnerability that was also discovered by the Plugin Vulnerabilities team.
Wherein looking at the current stature of WordPress we know that the WordPress plugin development services has made the platform a highly extendable one and have proven to be the sole reason behind the perpetual success of the platform. This brings to us the moot question that whether plugins are good for a website or not. Now that we already know that WP plugins do offer a great deal of extendability to our websites, here we will discuss that whether the benefits offered by the plugins are worth the trade-off with the vulnerability they produce.
How Do Plugins Make Your Website Vulnerable?
One of the most asked questions to skilled WordPress developers about plugins is : How do plugins they contribute to the vulnerability of your website? So the answer to this question is that the plugins often have an obsolete code, as this is quite difficult for the developers to consistently update them along with every official WordPress release. Moreover, they might also consist of slow code and add shortcuts that open gaps in the security. Missing security elements in plugins can open your website to everything from SQL injections to cross-site scripting assaults.
These malicious users exploit all these vulnerabilities that are present in the way plugin these scripts are run; they inject their code to get access to the backend of your website, as well as additional databases that comprise of sensitive data. These kinds of WP plugins also has the capability to take down an entire WordPress site.
Caveat! Top Plugins Can Also Be Hacked
There is no guarantee to the fact that the most popular plugins are the most reliable ones. There is no cure to hacking despite the fact that it was being installed by an ample lot of users. For instance, we have a brilliant plugin called Yoast SEO and Google Analytics by Yoast, which is widely used by the users. Last year an XSS vulnerability was discovered by the Joost de Valk, who also happens to be the creator of the plugin itself.
He learned the fact that the arguments such as add_query_arg as well as remove_query_arg, are not properly implemented in the plugins, wherefore this can become a reason to exploit it via cross-site scripting (XSS).
Dynamic web pages come under the influence of XSS. When you are not able to escape the content properly, then it makes the string interpret it as the code. This gives a room to the hacker to add a malicious code and even instill in the website several problems that can cripple the system, this can also be including acquiring the login details of the users, intervening the website’s content, and also adding a phishing code which is capable of transmitting confidential data to malicious users.
It was further noticed that popular plugins such as Gravity Forms, Jetpack, and even plugins such as All In One SEO pack also had some codes that could create problems.
Off late some serious issues were discovered within Jetpack, which happens to be a popular plug-in, using which you can optimize your website for free, get proper security features and other things. This plugin was developed by Automatic, and this also happens to be the company that fuels WordPress.com as well as the WordPress open-source project and manages over a million active installations.
A renowned Web security organization Sucuri released a report stating that the all the Jetpack release ever since 2012, commencing with version 2.0 are facing stored cross-site scripting (XSS) vulnerability.
How To Protect Your WordPress Website?
We are well aware of the fact that even quite reliable plugins can be prone to vulnerabilities and security issues. Malicious hackers always keep their prying eyes on these loop-holes and as soon as they come to know about them they attack them to trespass the boundary of your website.
There are even backdoor hackers that do not come to our notice for years. It is quite important to pick up the plug-ins carefully and then update them regularly. To protect your WordPress website to fall pray just because of vulnerabilities caused by plugins requires you to be vigilant and must maintain it periodically.
There is a checklist that you need to go through in order to protect your website from all the vulnerabilities to attack your website are:
– Make sure to install regularly your WordPress updates and all the update you get for your plugins. Make sure that your code has all the security patches.
– Make sure to use a modern them and also update it regularly. There is a possibility that plugins get stuck in old themes, and this might generate a vulnerability for you.
– When you begin to use any plugin, make sure to check the date it was updated and along with this make sure to check the WordPress version compatibility.
– Make sure not use older versions of the plugins as they might not be compatible with the latest WordPress version.
– While deciding among the plugins that have similar functionality, you need to choose the ones that have a significant number of active installs as well as better ratings. Wherein, all the popular plugins get regularly updated and offer quite a low-risk factor.
– Moreover, you need to note that even inactive plugins that are present on your WordPress website increase the chances of vulnerability. Make sure to delete the ones that you do not use much and the ones that are unnecessary. Restricting the number of plugins will help you to limit the chances a hacker will have.
– Talking about safety when it comes to using the plugins, then you need to know that it is not completely safe. However, WordPress Plugin repository vets each of the plugins before offering them to the users. Therefore, you need to know that you only need to download plugins from the repository site as well as only from the third-party theme as well as plugin developers that have a reputation in the market.
– Make sure to user WPScan’s Vulnerability Database to monitor plugins that have the vulnerabilities, as well as to learn when they are patched. Practicing these methods will certainly help you to make sure that the WordPress plugins that you have been using aren’t working as the gateway to entertain hackers.