A plugin to find vulnerable plugins ... brilliant!
I’m a huge WordPress fan because it’s a very powerful, effective, and amazingly extensible platform which is why it’s used by 60.4% of [websites with identifiable content management systems which amounts to] 23.7% of all websites. But there’s a risk with any platform that’s extensible trough the use of third party software (called “plugins” in WordPress): That risk is from software vulnerabilities.
Part of the reason for these vulnerabilities is that WordPress is fairly complex so interactions with plugins can produce unwanted and occasionally dangerous security issues. The other major reason is that the coding practices of third parties can be inadequate so dumb vulnerabilities such as buffer overflows and SQL injections can be part and parcel of some “must have” feature added by a plugin. For a summary of current Wordpress vulnerabilities check out the WPScan Vulnerability Database, a “black box WordPress vulnerability scanner.”
If you’re running a WordPress site and given the number of potentially show-stopping problems that exist, get fixed, and are replaced with new problems that are just as bad then you need to be on top of what plugins you’re using and what problems they might have. Rather than scanning through loads of vulnerability notices and checking each plugin’s Web site for news there’s not only WPScan, there’s also a free plugin that check the plugins you use for known issues. It’s called Plugin Vulnerabilities and published by WhiteFirDesign.
The publishers also offer another free plugin, Automatic Plugin Updates that, as its name implies, will update your plugins automatically as new versions become available (you can also set up an “ignore” list to exclude specific plugins from automatic updates).
When you activate Plugin Vulnerabilities, all of your other plugins are examined and checked against WhiteFirDesign’s database of vulnerabilities. They’re also rechecked whenever a plugin in manually updated or an update executed by the Automatic Plugin Updates or by any other method.
WhiteFirDesign’s vulnerability stats were, as of April 6:
- 257 vulnerabilities included
- 61 included vulnerabilities are in the most recent version of plugins (57 of these plugins have been removed from the Plugin Directory)
- 24 vulnerabilities have been fixed in part due to our work on this plugin
- 5 included vulnerabilities in security plugins
- Top vulnerability types:
- cross-site request forgery (CSRF)/cross-site scripting (XSS): 52 vulnerabilities
- reflected cross-site scripting (XSS): 45 vulnerabilities
- arbitrary file upload: 45 vulnerabilities
- arbitrary file viewing: 23 vulnerabilities
- SQL injection: 16 vulnerabilities
If a problem is discovered and you’ve enabled the feature, Plugin Vulnerabilities will send you a warning email as well as warn you on the Plugin Vulnerabilities control panel page and the general Plugins page.
This plugin is, in short, something you shouldn’t do without if you’re running WordPress. It could make the difference between smooth, uninterrupted operations and spending lots of time rebuilding your WordPress site after being hacked.
The Plugin Vulnerabilities and Automatic Plugin Updates plugins both get a Gearhead rating of 5 out of 5.
Griffin 20 pumps up the digital volumeNext Post
Wordfence plugin secures WordPress sites; solves job from hell
Amazon Web Services and Microsoft Azure, take very different approaches in how their data centers are...
A review of 19 companies that offer free cloud storage
By forcing Windows 10 on users, Microsoft has lost the tenuous trust and credibility users had in the...
A Chinese electronics component manufacturer says its products inadvertently played a role in a massive...
At particular risk are touch-screen voting machines that have no paper trails. If those are hacked or a...
Use these tips for finding inexpensive study resources and getting hands-on experience.
As companies rely more on co-location, cloud and other off-premise computing models, enterprise IT...