WordPress is the undisputed king of the CMS realm with a worldwide market share of over 60%. With over 450 million websites using it, any dangerous security threat has the potential to adversely affect a vast amount of people and businesses.
Third party plugins
Plugins are an essential part of making websites what they are by adding features and functionality, such as contact forms, photo galleries, sliders and much more. These incredibly useful tools can transform a WordPress website from bog standard to a flexible and customisable powerhouse.
The downside is that they can cause security vulnerabilities in websites, however. As the multitude of third party WordPress plugins can be created by anyone, many are riddled with flaws and backdoors that can allow hackers access to the websites that they’re installed on.
The most recent example of a third-party WordPress plugin with a security issue is a plugin called File Manager. A piece of open-source software designed to help administrators manage files via a management interface, the plugin contains an extra library called elFinder which suffers an easily exploitable vulnerability.
During a routine update four months ago, its developers renamed a certain file and accidentally added it to the project instead of keeping it as a local change. This alteration allows unauthenticated access to this file and therefore the ability to enact commands to the library. By permitting the uploading and modifying of files, this chink in the plugin’s armour can permit the complete takeover of the associated website. Any successful probe leads to the hacker uploading a web shell disguised inside an image file on the unfortunate website’s server.
As File Manager is a very popular plugin for WordPress, approximately 700,000 separate WordPress sites have been left open for attack. Once this weakness became known among hackers, it immediately became highly popular because of its high impact and easy exploitation. The first attacks began on 31st August at 1,500 an hour, rising to over 10,000 by 2nd September.
How the File Manager plugin developer responded
This type of security issue is known as a ‘zero-day vulnerability’, which means that the developer found out about the flaw without having time to fix the problem. The ‘zero-day’ refers to how they have ‘zero days’ to sort out the issue and it may have already been exploited by malicious hackers.
In the case of the third-party developed File Manager, the developers quickly deleted the file to repair the plugin’s defences and make it safe again via an update within the day. While any website that upgrades to the new version of File Manager should be safe, those that haven’t done this yet are still unfortunately wide open to attack – and will be until they download the latest patch.
How can I protect against cybersecurity threats to my plugins?
In short – ensure that you always have the latest patch or update for your WordPress plugins! There are too many other threats to your cybersecurity out there to neglect your plugins.
With the horde of different third party WordPress plugins available, even the very best of web hosts can’t assume responsibility for making sure your plugins are up to date. Developers tend to be on the ball when fixing potential security risks, but it’s up to you to make sure that your plugins are protected with the latest patch or update. Keeping one eye on the latest news regarding security breaches is also prudent.
Updating and patching your WordPress plugins very regularly is the key to keeping your website as secure as possible. You have two options to ensure that this is done:
The human option
WordPress has a simple update system that automatically searches for plugin, theme and core software updates, and gives you notifications when it finds one. Updating your WordPress plugins is thankfully very straightforward as a task, as it can be carried out simply by going onto the dashboard and making a few clicks.
Easy huh? Unfortunately, this is an important task that relies on a human to remember to do it every week. As well as the obvious danger of forgetting to do it, a person who runs a website on their own wouldn’t be able to delegate the task if they went on holiday for example. For larger businesses, tracking who pressed what, where and when can cause a surprising amount of problems.
The automated option
The alternative to doing this manually is automating your plugins updates.
There is also a number of different automatic update and patching options that you can explore, such as the Easy Updates Manager. This plugin automates your WordPress core plugins as well as the vast majority of your third party ones. It’s worth noting however, that this type of tool may not be able to update every third party plugin as they may be incompatible due to their customer update mechanisms.
In the near future though, we may soon have the option of letting WordPress automatically update third party plugins, as well as its own core software. Until that date however, just make sure your plugins are secure whichever path you choose to walk down.
Fasthosts offers a range of cybersecurity tools such as auto-updates and malware scanning to prevent vulnerabilities being exploited on its WordPress hosting plan.