NEW YORK, NY – It seems like a new security threat is born each day; maybe that is because there is. For those who operate WordPress sites, including myself, there is a new threat to consider that is designed to bypass ordinary security measures; a simple back door, you have already left wide-open, by choice.
WordPress Plugins are great additions to any WordPress site as they create all sorts of easy plug-and-play options and make often complicated features simple to install; by allowing you to upload any plugin designed by others who have already created a certain feature. Users can then benefit, in mass numbers, from these developers. Some plugins are free and some really good ones require a fee to install, use and/or update.
These plugins can be event calendars, shopping carts and even certain security features such as WordFence, which has both free and paid options.
In a nutshell, plugins make adding certain features and functions to any WordPress site a breeze. I do not know of any WordPress site without at least a couple of plugins installed. They are probably one of the most powerful functions and add-ons to WordPress allowing you to add near anything to your site.
But what happens when a plugin is installed in your site, and hundreds of thousands of sites use this plugin, which has near limitless access to your site, and then that plugin is sold-off to a new developer? This new developer has instant access to each WordPress site that has the plugin installed.
This is what happened recently and it opens-up an entirely new can of worms when it comes to security of your WordPress site. It’s the equivalent of giving your car to a friend based on trust, and them handing it over to a stranger; there is no telling where your vehicle may wind up. Who would have thought of this happening?
If you are interested in reading about it, a popular plugin called the Display Widget, with over 200,000 installs, changed ownership and the new authors added backdoor code to it on June 30th. This code allowed them to bypass site authentication and publish spam to thousands of websites. The spam was hidden from the site admin and any logged-in user.
Words of Wisdom: If you run a WordPress site, be ready for anything.
This is just another one of those risks you take when you operate a widely used software suite; vulnerabilities are a hot-commodity in the hacker-space, and once a vulnerability is found, it has the ability to affect a large number of people – quickly, until it is discovered, patched, or otherwise resolved.
Here are some additional worth-while suggestions while we’re at it:
- Don’t install a plugin unless you really need it.
- Delete and/or remove any plugins you no longer use.
- Always immediately update any plugins that release updates.