An Everyday Task – Taking action on Software Vulnerabilities

As I always do, I reviewed this week’s WordPress Vulnerability Report (WPVR) by iThemes Security Pro. This one was a lot larger than normal with 329 total vulnerabilities. It turns out that one of the most popular tools, used by hundreds of plugin and theme developers, had some moderately serious security issues. (Reference: Freemius WordPress SDK 2.5.9 Security Disclosure).

Freemius WordPress SDK is a framework that helps plugin and theme vendors to offer a free version of their product and also offer an upgraded “Premium” version, typically the premium version adds new or improved features to the Free version making it worth the cost – if you really need the features or improvements.

Freemius SDK is described by the vendor as “a monetization, analytics and marketing automation platform for digital products developers”. Essentially, it helps developers to track sales and licenses while helping them to earn a living doing what they do best.

As will happen with any software product from time to time, Freemius SDK had some previously unknown security issues come to their attention. They quickly and effectively corrected the issues in their software, then contacted all of their customers telling them that the new updated software was available and that it should be used immediately to update their projects (in this case WordPress plugins and themes).

This was all done weeks ago, and in theory, even a small one-person developer would have had time to update their products and submit their own update to the WordPress repository before the “public disclosure” phase was to begin.

Once the public disclosure phase happens,

  1. Software that has been corrected and updated (patched) will continue to be available in the WordPress repository for downloading and installing.

    Reports like the WPVR and the product’s own changelog will show that the plugin had a vulnerability, but, that an update corrects it. Users will be strongly encouraged to update immediately.

  2. Software that hasn’t yet had its code patched will no longer be available for download from the WordPress repository and will have appropriate warning language added to the plugin’s description page.

    Sometimes these plugins have been abandoned by their original developer and will eventually be removed from the repository. Occasionally, the developers were simply unable to write the needed updates in time for the public disclosure (vacations, illness, lost notification emails, etcetera…). Either way, the most common recommendation for an unpatched product is to disable and remove the software from your website and look for another to replace it.

Luckily, only 1 plugin on the list of 102 “unpatched” software products is installed on only 1 of the dozens of client websites that Market Street manages.

Interestingly, it looks like the developer has created an update to correct the issue and they are waiting on a final review from the WordPress repository to approve the update.

The software in question isn’t “mission critical” and can be safely removed from the client website without harming the functionality of the website. I will disable the software and remove it from the website ASAP.

While I wait for the software’s update to get approved, I will also be evaluating alternatives. I don’t like it when a product’s developer fails to make a security update in a timely fashion. If I find a suitable replacement I will probably replace the software.

All of this will happen, unknown by most of our clients, before our “doors open” for business at 9 a.m.

Shocking Update
By 8:53 a.m. I had finished my alternative evaluations, tested the client’s backups, created a staging environment, installed a replacement with a verifiably more responsive support commitment to their product, documented my changes and configuration choices, tested it thoroughly, reviewed their documentation further, and then (after making another full backup) installed, configured and tested the same software on the client’s live site.

I know, this whole article probably bored you to tears, but, that’s what I’m here for. I do what I do best, so that you can do what you do best and not worry about your website.

😉


Can We Help You?

Contact Us if you want to improve your online presence, grow faster, be more effective and efficient online.

We will get you noticeably better results. We can teach you how to properly make new content and perform routine maintenance on your various Internet properties, or we can do it for you.

If you want, our Online Business Management service will manage your online presence for you, maintain social media, do content updates & creation, website software updates and maintenance.

Who We Help

We focus on small to mid-size organizations.  Past examples have been a 1-person entrepreneur growing their retirement nest egg, small town communities, school districts, churches, non-profit organizations, and a nationwide organization with 100 people on staff.

If you don’t have an in-house expert, we want to help – Market Street is here for you.

What We Do

Our online business management services, in-depth training, coaching and comprehensive real-world consulting will help you grow, adapt online, work smarter and more efficiently and effectively.

Market Street also makes easy-to-use and highly effective websites that help you get the word out and engage with your audience. Your content can be text, photos, graphics, audio recordings, and even videos.

Experienced Advice

Market Street has 25+ years of experience consulting in the tech world and online marketing.  We know how to manage the numerous behind the scenes details to get you better results.

We are always learning, reading and researching, testing and trying out new strategies, tactics, processes, software and solutions so you don’t have to.

Contact Us – we can help you!

Photo of author

Author:  Scott Cannon

I help people use their website and social media more efficiently (getting better ROIs) and effectively (spending less time).

I've been helping NPOs & businesses for over 30 years as a technology consultant.

Let me help you too!
Contact me

Leave a Comment