The WordPress security team recently announced some serious wordpress plugin security vulnerabilities with three popular plugins WPtouch, AddThis, and W3 Total Cache. If you are one of the WordPress site owners using the mentioned plugins who updates plugins as soon as they are available you need to take prompt action to avoid potential information security problems with your site. If you have updated within the last few days you need to quickly update again to avoid problems from potentially malicious wordpress plugins.
Bad versions of each plugin:
Wptouch: versions 1.9.27 or 1.9.28
AddThis: version 2.1.3
W3 Total Cache: Unclear latest version is recommended
Good versions of each plugin:
WPtouch: 1.9.26 or older or the latest version 1.9.29
AddThis: 2.1.2 or older or the latest version 2.2.0
W3 Total Cache: version 0.9.2.3
WordPress security lessons learned/validated
- WordPress plugins are of unknown security levels and must be treated as such by sites requiring a high level of security
- WordPress updates and plugin updates should be given a 2-3 week burn in process before applying to avoid defects and issues such as this. This would have helped prevent exposure to the situation described by WordPress and the only caveat would be if failing to update exposes to your site you known exploits that are circulating in the wild.
- Disable or preferably delete any WordPress plugins that you are no longer utilizing for your site.
- Make sure your WordPress site administrator is staying in the loop with WordPress security updates, awareness is half the battle.
- Keep multiple copies of your sites backups so you have your choice of restore points if the worst
- Security issues can happen even with trusted plugins. WPTouch is probably the most widely used plugin to assist with mobile device compatibility and if it can happen to them it can happen to anyone.
Be sure to understand the risk of installing WordPress plugins prior to doing so and be sure to stay on top of WordPress plugin security news to help your site stay secure.