I was prompted to write this post after reading the stats presented in this article at Threatpost.
“Almost all (98 percent) of WordPress vulnerabilities are related to plugins that extend the functionality and features of a website or a blog. The top 10 vulnerable plugins include…”
We are in a catch-22 situation. In order to provide decent functionality on our websites, we need the plugins, yet the plugins are the cause of 98% of the vulnerability to a WordPress website. The plugins mentioned in the article are installed on tens of millions of websites. So, think of the impact that a hack could have.
Plugins are the plug-n-play modules that add functionality to your WordPress website. They are the branches on your tree (and WordPress core is the trunk). Plugins can perform simple tasks like allowing a blogger to use a particular font or display an image in the sidebar—and—complex tasks like allowing the user to create a catalog of products, sell products, track inventory, and, email customers.
Each WordPress website uses several to many plugins. Which plugins are used depends on the purpose of the website. Using the tree analogy from above, no two trees are the same.
The functionality requirements of a standard brochure-type website differ greatly from those of a membership website which has the public-facing portion of the website, the members-only portion of the website, and, the on-line membership renewal payments portion. The latter requires more plugins in quantity and those plugins are generally more complex because they accomplish more complex tasks.
According to the WordPress.org, there are 54,565 plugins.
A WordPress website relies on plugins, yet plugins are often the cause of increased vulnerability. That’s because plugins are written by different people with different levels of knowledge and experience. Plugins are created by independent developers as well as formal businesses that specialize in plugin development. (One plugin development firm, Yoast, has ~49 employees). Some specialize in WordPress and others are in a WordPress phase. The spectrum of programming experience is wide and the familiarity with WordPress coding requirements is diverse.
There are no rules about who can create and distribute plugins for WordPress. There are official guidelines for writing a plugin…And, plugin authors may or may not follow those guidelines.
In order to be listed on WordPress.org as an ‘approved’ plugin, the plugin must meet the guidelines. If it does, it gets listed in the official WordPress plugins repository (the wordpress.org/plugins/ folder). If testing results are outside of the guidelines, it does not get listed.
The author(s) of any plugin can, however, offer the plugin any where on the Internet. There is no mechanism in place that can stop anyone from downloading any plugin to their website and using it. WordPress is ‘open source’ and, as such, will work with any software that has the special ‘hooks’ that the WordPress core programs recognize.
Also, even though a plugin is accepted into the official repository at one time, does not mean that it is sanctioned for life. As WordPress advances technologically, so, too, must the plugin’s technology. Upon submitting a plugin for approval, the author(s) agrees to maintain it for the life of the plugin. If the author(s) stops maintaining the plugin, it is removed from the repository—but there is no global notification process (that I know of on this day) to inform users that the plugin is no longer sanctioned.
To protect my websites, I use a tool (another plugin) that shows me the last date on which all other plugins on the website were updated by its author(s) (not updated on the website). It will warn me when the last update date exceeds my tolerance date. It also lets me know when a plugin has been removed from the official repository.
Plugin Vulnerability Causes
- Sloppy or unsafe code: Not all plugins are created equally. Some authors follow the guidelines and some do not. Sloppy code or code that has not been brought to current standards put your website at risk. It is almost always not done intentionally. Lots of plugins start out as quick-and-dirty tools to help a developer as he/she is creating a website. Since it was a great help to them, they offer it in GitHub for example, in order to help other developers. Someone else takes that plugin, uses it as a base, and creates a another plugin, and so on, and so on. That’s how open source works. The code is open to all so that others can take it and modify it.
- Aging: Some plugins get abandoned, and, eventually, fall outside of safety tolerance levels. A good example of this happened in the past year. In December 2018, WordPress launched a brand new version of the core. The core had not been updated to this extent in 12 years. Many existing plugins were not rewritten to meet the new standards. Why? Maybe the plugin developers overtly chose to not rewrite, and, to focus on something else. Maybe the developers had moved on to other products or other employment situations that did not allow time for updating plugins. Nevertheless, the plugins are labeled ‘abandoned’, and, should not be used as they are not guaranteed to meet 2020 standards.
- Stagnant Files: Some plugins that are installed are not used. This creates a situation where “unsupervised” files hang out in your website’s hosting account. Unsupervised means that nobody is watching these files. Nobody is in a hurry to update these files. These files are being ignored and just hangin’ out. Unsupervised files are great breeding grounds for hackers. Since no one is paying attention, a hacker has time to build a more impactful hack and/or launch several attacks to external websites from the nest it built in your unsupervised files.
Plugins from the WordPress Repository Only Strategy
One plugin strategy to reduce your exposure to hacks is to choose to use only plugins from the WordPress repository. This strategy creates a false sense of security.
It is entirely possible that you start out using only approved plugins, minimizing your risk as much as you can, but, then, things change, and a plugin or two fall out of good graces with WordPress.
Plugin authors move on to new jobs. Plugin authors stop providing services because updating the plugin becomes too time consuming. Plugin authors pass away, and, no one knows how to maintain it. Businesses make the decision to let a plugin die through attrition so that it can focus on another, more popular plugin.
I’ve even seen plugin authors post a note on the soon-to-be-retired/already-retired plugin stating that it is no longer maintained, could cause a security risk, and includes a recommendation for another author’s plugin as a replacement. ← I want this author on my team. This is a very responsible author.
Managed WordPress Hosting Account Strategy
Another strategy people often use to protect websites from hackers is to host their website in a “Managed WordPress” hosting account. Managed WordPress refers to managing the “core files” of WordPress, and, typically, does not include the plugins. IF the hosting package includes updating the plugins, the owner of the website needs to make note to review the public facing website and administrative dashboard on a regular basis to ensure that their websites still present and function as they originally had.
Personally, I am not a fan of auto-upgrade of all the software because when something does go wrong, i.e. the display is off or functionality fails, it is time consuming and difficult to decipher the cause. Was it the update to the core? Was it the update to a plugin? If so, how do you know which plugin? You won’t know in which order the plugins were updated and which were the last to be updated. When this happens you end up trading your time and money on a complicated find-and-fix project (and maybe even lose some posts), instead of spending the time and money up front on proactive activities that can help avoid these issues in the first place. Proactive tends to cost less than reactive.
Only Plugins that do not Show Up on any Hackers’ Favorites List Strategy
This strategy will keep you hopping. The list of plugins that get the most attention from hackers changes every month. You would be installing and uninstalling plugins and redoing sections of your website constantly – and unnecessarily. Plus, employing this strategy you would be missing out on some great functionality. It makes sense from a hacker’s point of view to target the “best” and “most widely installed” plugins to try to infiltrate. Imagine the impact to millions of WordPress websites – and the subsequent kudos one would receive from fellow bad actors.
I’m not a fan of avoiding functionality that suits your website and intentions just because it attracts attention from a few negative programmers.
I AM a fan of doing what is best for your website and your intentions in a thoughtful way. Toward that end, the strategy I like best is: do what you need to do at your website, then…
Hire a Professional to Keep the Website Software Up to Date
Be proactive. Hire a professional website person to keep your software up to date. That’s WordPress core files, the framework, the page builder, the plugins, and the theme files. I recommend that the software updates be done once per month.
Make sure you hire someone who will also review the website and do a little testing after the upgrades. Ideally, they will use tools that will provide them information that will let them be proactive with you; information like, the xyz plugin will no longer be supported. They can communicate that to you and you can move forward finding a replacement plugin, and doing business in a calm way, and not reacting to a crisis at your website.
Happy Blogging!