Category Archives: Wordpress Security

WordPress Plugin Security – Is it risky to install plugins?

WordPress is loved by the masses because it is free, easy to use, and has 1000s of plugins that add tremendous functionality to the usability of a site. While all this is true and I myself use and love WordPress,  a site owner should also remember that installing WordPress plugins is the equivalent of installing a new application and brings with it increased risk and additional support requirements that must be met to keep a site secure and functioning properly.

Risk #1 – Availability of your site

How extensive has the testing been for the plugin or plugin update you are installing? I have already discussed a recent plugin upgrade incident I experienced while installing a WordPress plugin update that rendered my admin panel inaccessible. Fortunately for me I had backups and was able to restore the admin panel quickly but it is an eye opening experience for any site owner the first time this type of event occurs. A WordPress plugin is only as good as the support and testing that goes into it otherwise it poses a big security risk to the availability of your site.

Risk #2 – Plugin compatibility issues

WordPress plugin developers are a creative bunch but are often limited financially in their ability to test plugin compatibility with different versions of WordPress and different combinations of  plugins. This leaves you as the equivalent of a beta tester if you are an early adopter of a new plugin or a plugin update. This can lead to site performance issues and cause other more important parts of your site to stop functioning correctly.

Risk #3 – Security vulnerabilities that can lead to the compromise of your site

Every plugin installed is additional code installed on your site that increases the complexity of your site and opens additional potential vulnerability sources. This is not meant to scare you as it is important to balance the risk vs. reward of any type of business activity but is only meant to give you additional awareness into the risks.

Risk #4 – Increased administrative burden

Installing a new wordpress plugin should be looked at as both an opportunity and a commitment to stay current with that plugins security vulnerabilities and plugin patches. This leads to an increased administrative overhead and while it is relatively easy to apply a patch most of the overhead comes due to support complexities caused during the 1 time out of 50 when something goes very wrong.

Tips to manage the risks of using  WordPress Plugins:

#1 – Check the plugin support box to make sure your intended WordPress plugin is compatible with the version of WordPress you are running. Avoid installing any plugins that are not supported with your WordPress version unless you are very technically savvy and have a backup/recovery plan.

#2 – Run the latest version of WordPress to minimize your chances of compatibility issues when new plugin updates are released.

#3 – Wait about two weeks to install a new WordPress plugin update unless there has been a critical security exploit that is actively compromising sites. Being on the bleeding edge put you at an increased risk of suffering an outage or causing additional technical troubleshooting that take away from your other site activities.

#4 – Implement a strategy of regular backups and test your backups to ensure your site can be recovered as expected. Failing to test your backups could lead to undesired surprises and unneeded stress during an already stressful time.

#5 – Only install WordPress plugins that you intend to use and remove plugins that you tested but no longer want. It is better to limit your installed plugins to those you need for the operation of your site to minimize additional potential vulnerabilities and plugin updates.

Some security professionals would say you should review all of the lines of plugin code prior to installing a plugin but I believe that is impractical for the average site owner and overkill. This step may be necessary if your site is bringing in the bulk of your business revenue but otherwise follow the security tips outlined above to minimize your chances of having WordPress plugin related problems.

WordPress Security – Plugin update causes wp-admin access problem

WordPress security tips have been on my short list of topics to write about for quite awhile now and I planned to cover them right after focusing on security for popular Smartphone devices. Fate had other ideas. Many people theorize that experience is the best teacher and it is impossible to teach without learning yourself and to a large extent I agree with that. So now that I have experienced my first WordPress plugin update problem I am better prepared to share my learnings and reflections with you.

WordPress plugins are popular and add a lot of functionality to a WordPress site but are potential sources of security vulnerabilities that could lead to your site getting hacked. For this reason I regularly check my admin panel and quickly update my plugins when a new version is released. Today, I caught myself on the bleeding edge of the upgrade curve as I experienced my first ever issue while applying a WordPress plugin update. The end result was that my wp-admin panel was inaccessible and I was no longer able to administer my own site. One of the central principles of of information security is to ensure availability and I no longer had it due to a security upgrade, how Shakespearean!

Lesson # 1 – Don’t panic, you have a current WordPress backup right?

Fortunately for me I have a daily automated backup created so I was confident that I could restore my site with minimal inconvenience (ironically a handy plug in helps me with that). This gave me the peace of mind to be calm and know that I would recover so if you do not perform regular backups I recommend that you do.

Lesson # 2 – You can solve nearly anything with Google, including when a plug in update corrupts your wp-admin section.

Since I had never experienced an issue with a WordPress plug in update before I was not quite sure how to handle the situation. Luckily for me we have Google. On the first page of my search query titled “WordPress plugin made wp-admin inaccessible” I was able to find a quick and easy solution which involved accessing my web hosting file manager, navigating to my site’s plugin directory and renaming the plugin that caused the denial of service on my admin page. After performing these actions my admin panel was again operational.

Lesson #3 – Security patches need time to test most of the time you don’t want to be on the bleeding edge

In the name of all things security I was on the bleeding edge of applying new patches to avoid potential hacker issues. In general that is not a bad approach but security patches themselves may have bugs that can lead to the lack of availability of your systems. It is often a balance to apply an update right away (prevent a hacker) vs. creating a corresponding risk to the availability of your system. For a WordPress site that can be quickly restored this may not be as big an issue but if you were dealing with a mission critical ERP system it would be an altogether different equation requiring detailed development environment testing of the patch.

Information security is always a bit of a balancing act and this is a great example of assessing the risks between being bleeding edge vs. allowing for patch burn in testing time. No matter which approach you choose make sure you have balanced the risks of both scenarios.