WordPress is an open source application. That means that hackers can pour over it looking for issues.
Developers and others wishing to prove their worth also look for any way to break, write a fix and then protect the system. There are many more WordPress developers than hackers.
This probably makes it the most tested and vetted software in the World – so it should be the most secure?
There is just one problem. The site admins. The admins that don’t update their software after somebody has worked night and day to find a problem. Another has found a fix and two or three years later, no updates have been made and a site is vulnerable to attack.
There are still hundreds of sites that have plugins over two years out of date. There are over 6 million WordPress sites around so, only a very small percentage will be several thousand.
Here are two famous examples
WordPress Revolution Slider plug-in.
A way of uploading malicious code was found in this plugin and fixed. Years later there are websites without the latest updates. The plugin was even cited as a possible breach for Mossack Fonseca, the Panama papers hack. If this plug-in has been kept updated then there would never be a problem.
WordPress Gravity Forms Plugin
A fault to allow uploading of malicious code was found and fixed here too, years ago. Yet there was a video posted on Youtube in the last week, pretending to be clever enough to break websites. It was using old code to break an old plugin that was fixed years previous. However, this person still was able to find dozens of WordPress sites that have not been updated.
Why is updating such a problem?
You update Windows, you update Mac OS, your run updates on your iPhone, and Andriod Phones. So why not update your WordPress??
Are these valid excuses?
For gravity forms, people stop wanting to pay the annual upgrade or acquired an unlicensed version of the software. Or misled by somebody that it did not need updating. Those are the reasons given by those I challenged who did not upgrade.
For Revolution Slider, there are many that have not gone back to the envato.com market, where the plugin is sold, either because they could not be bothered, or did not have a proper licenced version. Many bought the plugin bundled with a theme, and as such did not have a connection for updates. The theme authors did not alert users to updates and nothing happened. They were left with a version subsequently found to have a problem, updated and they carried on with a vulnerable version, till discovered by a hacker.
Is this the flaw in open source?
No. The only problem with free software and software copied and supplied without a proper licence is that there is less of a connection between the user and the plugin or theme author. But that is true of any software copied and not purchased legitimately. Today’s plugins from WordPress and all the top creators tell you when they need updating. Even Envato sourced plugin will tell you if you register with a valid serial number. Our plugins have a custom update module that goes through our own update server. It the plugin is active, it will alert of an update.
My rant of frustration is over.
- Remove any plugin or theme that you are not using
- Make sure you have properly licenced copies of all your software, and subscribe to any news service from the author.
- Make sure you have a process to check for and install updates when they are available.
- Use a hosting company with dedicated WordPress hosting services.
- Have a regular backup regime; just in case.