How to avoid getting hacked due to vulnerable WordPress plugins

I’m a huge WordPress fan because it’s a very powerful, effective, and amazingly extensible platform which is why it’s used by 60.4% of [websites with identifiable content management systems which amounts to] 23.7% of all websites. But there’s a risk with any platform that’s extensible trough the use of third party software (called “plugins” in WordPress): That risk is from software vulnerabilities.

Part of the reason for these vulnerabilities is that WordPress is fairly complex so interactions with plugins can produce unwanted and occasionally dangerous security issues. The other major reason is that the coding practices of third parties can be inadequate so dumb vulnerabilities such as buffer overflows and SQL injections can be part and parcel of some “must have” feature added by a plugin. For a summary of current Wordpress vulnerabilities check out the WPScan Vulnerability Database, a “black box WordPress vulnerability scanner.”

If you’re running a WordPress site and given the number of potentially show-stopping problems that exist, get fixed, and are replaced with new problems that are just as bad then you need to be on top of what plugins you’re using and what problems they might have. Rather than scanning through loads of vulnerability notices and checking each plugin’s Web site for news there’s not only WPScan, there’s also a free plugin that check the plugins you use for known issues. It’s called Plugin Vulnerabilities and published by WhiteFirDesign.

The publishers also offer another free plugin, Automatic Plugin Updates that, as its name implies, will update your plugins automatically as new versions become available (you can also set up an “ignore” list to exclude specific plugins from automatic updates).

When you activate Plugin Vulnerabilities, all of your other plugins are examined and checked against WhiteFirDesign’s database of vulnerabilities. They’re also rechecked whenever a plugin in manually updated or an update executed by the Automatic Plugin Updates or by any other method.

WhiteFirDesign’s vulnerability stats were, as of April 6:

• 257 vulnerabilities included
• 61 included vulnerabilities are in the most recent version of plugins (57 of these plugins have been removed from the Plugin Directory)
• 24 vulnerabilities have been fixed in part due to our work on this plugin
• 5 included vulnerabilities in security plugins
• Top vulnerability types:
  • cross-site request forgery (CSRF)/cross-site scripting (XSS): 52 vulnerabilities
  • reflected cross-site scripting (XSS): 45 vulnerabilities
  • arbitrary file upload: 45 vulnerabilities
  • arbitrary file viewing: 23 vulnerabilities
  • SQL injection: 16 vulnerabilities

If a problem is discovered and you’ve enabled the feature, Plugin Vulnerabilities will send you a warning email as well as warn you on the Plugin Vulnerabilities control panel page and the general Plugins page.

This plugin is, in short, something you shouldn’t do without if you’re running WordPress. It could make the difference between smooth, uninterrupted operations and spending lots of time rebuilding your WordPress site after being hacked.

The Plugin Vulnerabilities and Automatic Plugin Updates plugins both get a Gearhead rating of 5 out of 5.