This week’s iThemes WordPress vulnerability report has a couple of the more popular plugins for WP in it. Number 1, installed on 5 million websites, is the page builder plugin Elementor. This week’s 2nd place plugin, Ninja Forms, has 1 million installations.
If you are managing your own WP website I encourage you to check the entire report and make sure to apply any updates relevant to your website, or to disable and remove any plugin without an update. Here’s the link to this week’s report.
Thoughts
There is said to be over 55,000 WordPress plugins in the official WordPress.org plugin directory, and 10s of thousands more out in other reputable and not so reputable online marketplaces. This week’s report had 20 newly discovered plugin vulnerabilities, with 17 of them having already been fixed and available via an update.
20 out of 65,000+ is a drop in the bucket and, IMHO, nothing to freak out about. 17 out of 20 already fixed/updated and available for download is not too shabby either.
It is notable that Elementor, with its very large user base, is on this week’s list. Yet, it is very reassuring that they have already fixed the problem and have an update available. Hopefully, the 5 million websites with Elementor installed are being looked after appropriately by their administrators.
If you are responsible for a website using Elementor, Ninja Forms, or any of the other plugins on this report you need to make sure that you are taking appropriate action to help keep your website secure.
Suggested Action Items
If I had a friend who’s website had a vulnerability on it I would suggest that they do the following:
- Have Market Street take over software management (updates, backups, security log reviews, and more…) so that it is looked after by an experienced website support professional.
🙂
However, if they were determined to DIY it, here are some of what I consider to be “best practices” when making software changes to your website:
NOTE: Mumble, grumble, frickin’ lawyers…. Neither myself nor Market Street can be held liable for anything that happens if you follow these suggestions and damage your website. Every website is different and has its own unique software environment and hosting characteristics that must be taken into consideration whenever you make software changes.
- Confirm that you have access to multiple backups spanning several weeks or months for your website. Off-site backups should have been the 2nd thing installed and configured when setting up your website.
- Create a staging copy of your website.
- Log into the staging website, update the plugins on the staging website and test thoroughly looking for problems. It is rare, but, sometimes an update unintentionally creates a conflict with other software installed on your website.
- If you found problems with an update on your staging website, start diagnosing the conflict and contact the appropriate software vendor’s tech support teams to report it and hopefully help you work it out.
- If all goes well with your testing on the staging website, login in to the live website and make an off-site backup of your live website.
- Apply the plugin update to your live website.
- Test the live website thoroughly to confirm it is working properly. Don’t assume that because it worked on the staging site that the update will work on the live website without problems.
- Review your process of looking for and responding to routine updates and security updates. Make sure this is done frequently and often. Yes, that was a joke. Well, sort of, you really want to frequently check for updates.
PRO TIP: Make absolutely sure that you know how your backup software works, where your backups are stored, and how to access them if your website goes down. Additionally, you should test your backups on a routine basis to make sure that restoring works as expected when you need it most.