WordPress has a rich and vibrant ecosystem of third-party plugins available to extend its functionality, unfortunately, these third-party plugins sometimes provide a means to exploit a WordPress installation.
The most recent example of a third party plugin introducing a remote exploit being the Simple Social Buttons plugin. With open registration enabled and the plugin installed, it was possible for attackers to make changes to the configuration of a WordPress installation. The exploit report has a demonstration whereby the admin users email address on a WordPress installation was changed. Such an attack could then be used to gain admin access to the WordPress installation and from there allowing complete access to the website. Thankfully the developers of the affected plugin released an updated patched version of the plugin the day after it was reported to them.
Exploits such as these are an example as to why it is critical that a WordPress installation is managed correctly. Exploits can originate within core WordPress code or from third party plugins which may be installed. It is crucial that once updates to WordPress or third-party plugins are released that they are installed as soon as possible. In as little as a few hours after an exploit announcement, automated botnets can be seeking to breach unsecured Wordpress installations potentially gaining complete access to all the data within.
WordPress offers an automated update system for core code and the free to use plugins installed and distributed via the WordPress website. This should be enabled where possible to ensure that the core of WordPress is up to date and the applicable installed plugins.
The open nature of WordPress has led to many commercial plugins released outside of the WordPress website and thus not able to utilise the automated update mechanism WordPress provides. In some cases, the authors of the plugins have built in their own automated update mechanisms to ensure that updates can be delivered to users. If such features are available within a plugin these should also be enabled to ensure that applicable updates are automatically applied. However plugins distributed via some plugin marketplaces do not feature automated update mechanisms, in these instances, it is up to the user to monitor and check for updates to the applicable modules via the marketplace they were purchased from. Some authors have built in a notification mechanism to inform users that new updates are available to install with relevant information relating to them.
Whilst the above methods for commercial plugins work great for those who have developed their own website, they do create potential problems for those who commissioned a website to be developed on their behalf. If the plugins were purchased by an agency who developed the website it may not be possible to acquire updates to the plugins without having to either buy the plugin again or seek the original developer's assistance.
Similarly, some plugin authors license their modules on a subscription basis whereby updates are provided for as long as a subscription maintained. If the original agency who developed the website is no longer involved then it may not possible to acquire updates without having to take a new subscription.
It is important to fully assess the implications of the usage of WordPress plugins as to how they will be managed in the long term. Many WordPress installations are compromised due to the operators of the websites failing to maintain security updates after handoff from the original developers or support contracts being terminated.
At Ixis, we understand the importance of managing and updating your website safely and securely. Our exceptional service desk team are always on hand to provide assistance and the expertise to keep your website in full working order regardless of the changes and updates you require. Our dedicated UK-based support service desk ensures that if an issue arises we are able to resolve it for you quickly and efficiently. Our escalation procedures are second to none minimising website and system downtime to protect your business. If you or your business need the help and expertise to get your WordPress website in full working order then do not hesitate to contact us on the Ixis website, calling us on 01925 320041 or emailing us on firstname.lastname@example.org.