This week, 79 vulnerabilities may affect over 6.6 million WordPress sites. There are 55 plugin vulnerabilities and 5 themes with security patches available, so run those updates if you use these plugins! Additionally, there are 19 plugin vulnerabilities with no patch available yet. At least three of these have been closed and dropped from the wordpress.org plugin directory so far. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable plugin or theme has been closed, you should consider deactivation and removal in favor of alternative solutions.Source: https://ithemes.com/blog/wordpress-vulnerability-report-april-12-2023/
What do I think?
“… 79 vulnerabilities may affect over 6.6 million WordPress sites…”
Relax, take a deep breath, read on – the devil is in the details.
Every week this report is published after giving developers time to address newly discovered vulnerabilities. In most cases the developers will jump into action and fix the problems right away.
The overwhelming majority of these theoretical “6.6 million” at-risk websites actually have software updates ready to fix their security vulnerabilities. The website admins just need to apply the updates to their websites.
If you are properly managing your website, you have already applied these updates and are safe from these issues. It doesn’t hurt to double check though, just to be sure…
Of the 19 plugins with no patch, most are listed as having less than 2,000 installs each. Only 2 are listed at 7,000+ and 3,000+ each. This means that the unpatched at-risk group is a drop of water in an ocean of WordPress installations (currently estimated at 800+ million).
At least 7 of the 19 unpatched plugins haven’t been updated in more than a year. If a plugin hasn’t been updated in the last 6 months I often worry that it has been abandoned by the developer.
10 of the 19 unpatched plugins have been closed. The people in charge of the WP repo have decided to pull the software off the shelves. You generally need to uninstall these ASAP.
2 of the unpatched plugins have been active in the past year. These might get a developer to fix their issues. However, I would look for alternatives ASAP – simply because they have already clearly failed to fix a security issue in a timely manner.
I always do this
When looking to add a feature to your website you need to weigh your risk tolerance against an objective evaluation of the developer of the software.
For example: If your website is a personal technology playground and you don’t care if it crashes and burns, then maybe you can be a little less careful and experiment with out-of-date or possibly unsupported software. Just be sure your “playground” is properly isolated from your important business website.
However, if you are doing anything that is important to your business, or involves customer data in any way, do NOT take any risks. Work only with someone that has an established reputation, with a proven track record of good code and great support that ideally spans a period of several years.
4 things to look for in a WordPress plugin
There are various signals in the WP plugin repository you can use to evaluate the potential relationship you are about to enter into with the plugin’s developer.
Are you about to join forces with a fly-by-night programmer, a zombie cowboy coder, or an established developer with a long history of solid support and timely updates?
- Are they even listed on the WordPress.org plugin repository? To get listed in the repo the software has to go through a series of tests and expert reviews.
“The review team acts as gate-keepers and fresh eyes on newly submitted plugins, as well as reviewing any reported security or guideline violations.”
– Source: the official blog for the Plugin Review Team.
NOTE: I’m not against using software that’s not in the WP repo, but, I’m certainly going to be more inclined to use something if it IS in the repo. I know that someone with expertise has at least tested and reviewed the plugin if it got in.
- When was the plugin last updated? If it was more than 6 months ago, what might make that OK? Sometimes a plugin is so narrow in its functional scope that it really doesn’t need to be updated frequently.
- Does the plugin have a warning banner like: “This plugin hasn’t been tested with the latest 3 major releases of WordPress…”
- If so, dig into the support forum to see what the vendor might have to say about it. I have used plugins that were over 5 years old – with no updates – because they did something so specific, and in such a manner as to not need updating, the code was still stable and secure.
- If the support forum doesn’t have any activity from the developer in more than 3 months I often worry that it is an abandoned piece of software and will usually avoid using it if I have other options.
- If the support forum has very few “Issues resolved in the last two months”, something like: 2 out of 15, then I’ll suspect that the developer isn’t giving the product any real support and that it probably has a number of bugs that I don’t want to encounter.
- Alternatively, if the support forum is active and has a high percentage of “issues resolved”, something like 19 out of 26, then I will give it more consideration.
- What is the rating of the plugin, and more importantly, how many reviews does it have? A plugin with three 5-star reviews would be less impressive than a plugin with a 4.2 rating and 150+ reviews.
- BONUS ITEM: How many “Active Installs” does the product have? This isn’t as important as you might initially think. I often choose a less installed product vs one with more installs. Usually this is because the plugin has a very good developer with great support and the plugin does one specific thing really well.