Tag Archives: Wordpress Plugin Security

WordPress Plugin Security – Your Sites worst security nightmare?

The WordPress security team recently announced some serious wordpress plugin security vulnerabilities with three popular plugins WPtouch, AddThis, and W3 Total Cache. If you are one of the WordPress site owners using the mentioned plugins who updates plugins as soon as they are available you need to take prompt action to avoid potential information security problems with your site. If you have updated within the last few days you need to quickly update again to avoid problems from potentially malicious wordpress plugins.

Bad versions of each plugin:

Wptouch: versions 1.9.27 or 1.9.28

AddThis: version 2.1.3

W3 Total Cache: Unclear latest version is recommended

Good versions of each plugin:

WPtouch: 1.9.26 or older or the latest version 1.9.29

AddThis: 2.1.2 or older or the latest version 2.2.0

W3 Total Cache: version 0.9.2.3

WordPress security lessons learned/validated

  • WordPress plugins are of unknown security levels and must be treated as such by sites requiring a high level of security
  • WordPress updates and plugin updates should be given a 2-3 week burn in process before applying to avoid defects and issues such as this. This would have helped prevent exposure to the situation described by WordPress and the only caveat would be if failing to update exposes to your site you known exploits that are circulating in the wild.
  • Disable or preferably delete any WordPress plugins that you are no longer utilizing for your site.
  • Make sure your WordPress site administrator is staying in the loop with WordPress security updates, awareness is half the battle.
  • Keep multiple copies of your sites backups so you have your choice of restore points if the worst
  • Security issues can happen even with trusted plugins. WPTouch is probably the most widely used plugin to assist with mobile device compatibility and if it can happen to them it can happen to anyone.

Be sure to understand the risk of installing WordPress plugins prior to doing so and be sure to stay on top of WordPress plugin security news to help your site stay secure.

 

WordPress Plugin Security – Is it risky to install plugins?

WordPress is loved by the masses because it is free, easy to use, and has 1000s of plugins that add tremendous functionality to the usability of a site. While all this is true and I myself use and love WordPress,  a site owner should also remember that installing WordPress plugins is the equivalent of installing a new application and brings with it increased risk and additional support requirements that must be met to keep a site secure and functioning properly.

Risk #1 – Availability of your site

How extensive has the testing been for the plugin or plugin update you are installing? I have already discussed a recent plugin upgrade incident I experienced while installing a WordPress plugin update that rendered my admin panel inaccessible. Fortunately for me I had backups and was able to restore the admin panel quickly but it is an eye opening experience for any site owner the first time this type of event occurs. A WordPress plugin is only as good as the support and testing that goes into it otherwise it poses a big security risk to the availability of your site.

Risk #2 – Plugin compatibility issues

WordPress plugin developers are a creative bunch but are often limited financially in their ability to test plugin compatibility with different versions of WordPress and different combinations of  plugins. This leaves you as the equivalent of a beta tester if you are an early adopter of a new plugin or a plugin update. This can lead to site performance issues and cause other more important parts of your site to stop functioning correctly.

Risk #3 – Security vulnerabilities that can lead to the compromise of your site

Every plugin installed is additional code installed on your site that increases the complexity of your site and opens additional potential vulnerability sources. This is not meant to scare you as it is important to balance the risk vs. reward of any type of business activity but is only meant to give you additional awareness into the risks.

Risk #4 – Increased administrative burden

Installing a new wordpress plugin should be looked at as both an opportunity and a commitment to stay current with that plugins security vulnerabilities and plugin patches. This leads to an increased administrative overhead and while it is relatively easy to apply a patch most of the overhead comes due to support complexities caused during the 1 time out of 50 when something goes very wrong.

Tips to manage the risks of using  WordPress Plugins:

#1 – Check the plugin support box to make sure your intended WordPress plugin is compatible with the version of WordPress you are running. Avoid installing any plugins that are not supported with your WordPress version unless you are very technically savvy and have a backup/recovery plan.

#2 – Run the latest version of WordPress to minimize your chances of compatibility issues when new plugin updates are released.

#3 – Wait about two weeks to install a new WordPress plugin update unless there has been a critical security exploit that is actively compromising sites. Being on the bleeding edge put you at an increased risk of suffering an outage or causing additional technical troubleshooting that take away from your other site activities.

#4 – Implement a strategy of regular backups and test your backups to ensure your site can be recovered as expected. Failing to test your backups could lead to undesired surprises and unneeded stress during an already stressful time.

#5 – Only install WordPress plugins that you intend to use and remove plugins that you tested but no longer want. It is better to limit your installed plugins to those you need for the operation of your site to minimize additional potential vulnerabilities and plugin updates.

Some security professionals would say you should review all of the lines of plugin code prior to installing a plugin but I believe that is impractical for the average site owner and overkill. This step may be necessary if your site is bringing in the bulk of your business revenue but otherwise follow the security tips outlined above to minimize your chances of having WordPress plugin related problems.