pen paper writing icon WordPress icon png newspaper icon

Thousands of WordPress Sites Potentially Using a Vulnerable Plugin: Here’s How to Keep Your Site Safe

Thousands of WordPress Sites Potentially Using a Vulnerable Plugin - How to Keep Your Site Safe

In March 2024, a critical vulnerability was discovered in the WordPress plugin WordPress Automatic. Available on the Code Canyon marketplace, WordPress Automatic is an automatic content scraper that retrieves articles, videos, products, images and other types of content from external sources and republishes that content on your website automatically.

Research firm Patchstack discovered the vulnerability, which made it possible for malicious actors to use SQL injection attacks to take full control of vulnerable websites. All types of websites – from vape shops to personal blogs – were vulnerable to the attack if they used an unpatched version of the plugin.

Although the plugin was patched promptly, some website owners didn’t install the patch because they were unaware of the severity of the issue. Recent user reviews for the WordPress Automatic plugin suggest that at least a few websites were completely lost due to the vulnerability.

No website is completely immune to hacking, and WordPress – which powers something like 43 percent of all of the world’s websites – is a priority target for malicious actors.

Here’s the good news, though: When a website does get hacked, it’s not usually because a hacker has targeted that site specifically. More often, websites get hacked because they’re running vulnerable WordPress themes or plugins that have been discovered through the use of automated scanners.

In other words, if your site doesn’t have a known vulnerability that’s easily found with a scanner and exploited by automated means, hackers will usually move on.

With that in mind, you can keep your WordPress site quite safe by simply following a few common-sense security practices. In this guide, we’ll explain exactly what you need to do to minimize the risk of an insecure plugin causing your site’s untimely demise.

Update Your Theme and Plugins Promptly

When you log in to WordPress, you’ll always see a notification in the sidebar if updates are available for your site’s theme or plugins. In some cases, a plugin with a pending update will even display a message at the top of the page. If your site has a large number of plugins, you may see update notifications almost every time you log in and may sometimes tend to procrastinate when it comes to downloading and installing those updates. You do so at your peril, though, because you never know when an update may include a fix for a critical security issue.

The WordPress Automatic plugin was updated immediately when its creator was notified about the security flaw. However, a non-disclosure agreement reportedly prevented the plugin’s creator for discussing the flaw until it was made public by Patchstack. For that reason, some users ignored the update.

Maintain Full Site and Database Backups

It’s becoming more common for web hosts to offer full automatic website and database backups, which is a great thing for security. If your website is hacked, having a backup available means that you can restore the site to its previous state – sometimes with a single click. If your host doesn’t offer this service, several WordPress plugins can do the job for you. It’s important, though, to maintain a library of backups from several different points in time. If your website is hacked, it may be a while before you notice.

Consider Running a Security Plugin

If your website is your business, there’s no excuse not to have a security solution of some kind. A security plugin can automatically monitor access attempts and block users who appear to be malicious. Some content delivery networks provide this service as well. A security plugin can also monitor your site’s files and raw code and notify you if anything has changed unexpectedly. If new files suddenly begin appearing on your server, your site has likely been hacked.

Get Your Themes and Plugins from a Trusted Source

The WordPress Repository is always the most reliable place to find themes and plugins for your site. Because everything on the WordPress.org website is free and open source, all of the plugins and themes there are monitored by the very large community of WordPress volunteers. In many cases, though, you may need functionality that isn’t available in a free theme or plugin – and in this case, you’ll have to pay for premium software. Make sure that someone has audited the code and declared it to be safe.

Remove Unused Themes and Plugins

Every theme and every plugin installed on your WordPress website should be treated as a potential security hole because that’s exactly what hackers are doing – they’re constantly scrutinizing every bit of WordPress code in existence and looking for vulnerabilities to exploit. Every time you remove a theme or plugin from your site, you’re eliminating a potential point of entry. Go through your site’s plugins and themes and remove anything that you aren’t using. It’s also a good idea to look through your active plugins and make sure that you really need all of them.

Find Replacements for Abandoned Plugins

Has it been a while since the last time you saw an update notification for a particular plugin? If so, you might want to check the plugin’s change log to determine when it was last updated. Unless a plugin’s functionality is extremely simple, you should consider it abandoned by the author if it hasn’t been updated in more than a year or so. In this case, you should search for a plugin that provides the same functionality and is still actively updated. Security holes can lurk in old plugins for a long time before they’re discovered – and if a plugin that has a hole is no longer updated by the author, the vulnerability will never be fixed.

Hire a Developer to Audit Old Plugins and Themes

Suppose your website has a mission-critical plugin that’s been abandoned by the developer and is no longer updated. In that case, you’re on your own when it comes to ensuring that the plugin is secure and has no vulnerabilities. In this case, hiring a developer and having that person audit the plugin for you would be a very good idea. Maintaining the plugin may become an ongoing expense until you find a replacement for it.

Saasland
Share:

1 Comment

  • Global Entrepreneurial Universirty
    May 14, 2024
    Reply

    What factors should website owners consider when deciding whether to replace an old plugin or theme?

Leave a Comment