My thoughts – iThemes WordPress Vulnerability Report – April 12, 2023

This week, 79 vulnerabilities may affect over 6.6 million WordPress sites. There are 55 plugin vulnerabilities and 5 themes with security patches available, so run those updates if you use these plugins! Additionally, there are 19 plugin vulnerabilities with no patch available yet. At least three of these have been closed and dropped from the plugin directory so far. If you are using any unpatched plugins or themes, check their vendors’ intentions and progress on a security release. If no patch is forthcoming or the vulnerable plugin or theme has been closed, you should consider deactivation and removal in favor of alternative solutions.


What do I think?

“… 79 vulnerabilities may affect over 6.6 million WordPress sites…”

Relax, take a deep breath, read on – the devil is in the details.

Every week this report is published after giving developers time to address newly discovered vulnerabilities. In most cases the developers will jump into action and fix the problems right away.

The overwhelming majority of these theoretical “6.6 million” at-risk websites actually have software updates ready to fix their security vulnerabilities. The website admins just need to apply the updates to their websites.

If you are properly managing your website, you have already applied these updates and are safe from these issues. It doesn’t hurt to double check though, just to be sure…

Worth noting

Of the 19 plugins with no patch, most are listed as having less than 2,000 installs each. Only 2 are listed at 7,000+ and 3,000+ each. This means that the unpatched at-risk group is a drop of water in an ocean of WordPress installations (currently estimated at 800+ million).

At least 7 of the 19 unpatched plugins haven’t been updated in more than a year. If a plugin hasn’t been updated in the last 6 months I often worry that it has been abandoned by the developer.

10 of the 19 unpatched plugins have been closed. The people in charge of the WP repo have decided to pull the software off the shelves. You generally need to uninstall these ASAP.

2 of the unpatched plugins have been active in the past year. These might get a developer to fix their issues. However, I would look for alternatives ASAP – simply because they have already clearly failed to fix a security issue in a timely manner.

I always do this

When looking to add a feature to your website you need to weigh your risk tolerance against an objective evaluation of the developer of the software.

For example: If your website is a personal technology playground and you don’t care if it crashes and burns, then maybe you can be a little less careful and experiment with out-of-date or possibly unsupported software. Just be sure your “playground” is properly isolated from your important business website.

However, if you are doing anything that is important to your business, or involves customer data in any way, do NOT take any risks. Work only with someone that has an established reputation, with a proven track record of good code and great support that ideally spans a period of several years.

4 things to look for in a WordPress plugin

There are various signals in the WP plugin repository you can use to evaluate the potential relationship you are about to enter into with the plugin’s developer.

Are you about to join forces with a fly-by-night programmer, a zombie cowboy coder, or an established developer with a long history of solid support and timely updates?

  1. Are they even listed on the plugin repository? To get listed in the repo the software has to go through a series of tests and expert reviews.

    “The review team acts as gate-keepers and fresh eyes on newly submitted plugins, as well as reviewing any reported security or guideline violations.”
    Source: the official blog for the Plugin Review Team.

    NOTE: I’m not against using software that’s not in the WP repo, but, I’m certainly going to be more inclined to use something if it IS in the repo. I know that someone with expertise has at least tested and reviewed the plugin if it got in.
  1. When was the plugin last updated? If it was more than 6 months ago, what might make that OK? Sometimes a plugin is so narrow in its functional scope that it really doesn’t need to be updated frequently.

  2. Does the plugin have a warning banner like: “This plugin hasn’t been tested with the latest 3 major releases of WordPress…”

    • If so, dig into the support forum to see what the vendor might have to say about it. I have used plugins that were over 5 years old – with no updates – because they did something so specific, and in such a manner as to not need updating, the code was still stable and secure.
    • If the support forum doesn’t have any activity from the developer in more than 3 months I often worry that it is an abandoned piece of software and will usually avoid using it if I have other options.
    • If the support forum has very few “Issues resolved in the last two months”, something like: 2 out of 15, then I’ll suspect that the developer isn’t giving the product any real support and that it probably has a number of bugs that I don’t want to encounter.
    • Alternatively, if the support forum is active and has a high percentage of “issues resolved”, something like 19 out of 26, then I will give it more consideration.
  1. What is the rating of the plugin, and more importantly, how many reviews does it have? A plugin with three 5-star reviews would be less impressive than a plugin with a 4.2 rating and 150+ reviews.
  1. BONUS ITEM: How many “Active Installs” does the product have? This isn’t as important as you might initially think. I often choose a less installed product vs one with more installs. Usually this is because the plugin has a very good developer with great support and the plugin does one specific thing really well.

Can We Help You?

Contact Us if you want to improve your online presence, grow faster, be more effective and efficient online.

We will get you noticeably better results. We can teach you how to properly make new content and perform routine maintenance on your various Internet properties, or we can do it for you.

If you want, our Online Business Management service will manage your online presence for you, maintain social media, do content updates & creation, website software updates and maintenance.

Who We Help

We focus on small to mid-size organizations.  Past examples have been a 1-person entrepreneur growing their retirement nest egg, small town communities, school districts, churches, non-profit organizations, and a nationwide organization with 100 people on staff.

If you don’t have an in-house expert, we want to help – Market Street is here for you.

What We Do

Our online business management services, in-depth training, coaching and comprehensive real-world consulting will help you grow, adapt online, work smarter and more efficiently and effectively.

Market Street also makes easy-to-use and highly effective websites that help you get the word out and engage with your audience. Your content can be text, photos, graphics, audio recordings, and even videos.

Experienced Advice

Market Street has 25+ years of experience consulting in the tech world and online marketing.  We know how to manage the numerous behind the scenes details to get you better results.

We are always learning, reading and researching, testing and trying out new strategies, tactics, processes, software and solutions so you don’t have to.

Contact Us – we can help you!

Photo of author

Author:  Scott Cannon

Helping NPOs & businesses for over 30 years as a technology consultant. I now focus on helping people use their website and social media more efficiently and effectively.

I've been told that I'm friendly, helpful and honest to a fault. I wouldn't believe it if I hadn't heard it myself.   :-)

Let me help you!
Contact me

Leave a Comment