We are incredibly grateful for companies specializing in tracking and disseminating information on WordPress exploits and other vulnerabilities. Sadly, there is a never-ending list, and if we find it challenging to stay on top of things, it must be difficult for the solo entrepreneur trying to manage their site while keeping the business going. There are a couple of websites that we monitor for threat analysis. Those include:
We also subscribe to Cybersecurity and Infrastructure Security Agency notices, which provide additional threat data that may affect us or our clients. Many bad cyber actors are out there, and you need to stay on top of all potential security threats. We will discuss some of the threats and list some steps you can take to mitigate your risk.
September WordPress Exploits
In September alone, we counted 46 plugin vulnerabilities and 1 theme vulnerability—more than one a day! We identified a few plugins on that list that needed to be updated and removed from our site and the clients’ sites.
As part of our proactive approach, we consistently use SeedProd when we start building a site. We maintain the master copy in our repository and keep it up to date to ensure we are not impacted by any vulnerabilities. If you have a copy, we recommend using it, but allowing your license to expire to avoid receiving updates. In such cases, it’s best to either uninstall the plugin or consider repurchasing your license.
We have clients who use WP File Manager. We have long thought this approach brings unnecessary risk because you can access and edit files directly on your web server. You can uninstall this plugin and learn to use sFTP to manage the files directly if you have to.
How To Stay On Top
Back in March, we started guiding you through the process of keeping things updated with our post “How Often Do You Update WordPress?” In April, we discussed WordPress Vulnerabilities for the first time. We want to ensure you understand the risks involved, so we’re curious how you stay on top of these issues and monitor the WordPress exploits discovered and published.
WordPress Auto Updates
As of WordPress 5.5, there is a feature that will automatically update plugins. You can choose to enable this on any plugin that the plugin developed has also enabled the feature. If you navigate to your plugin’s pages, you’ll notice the ability to enable this feature on the ride-hand side. You can also help the auto update functionality for some themes. You need to be aware that there are risks involved.
Backup Before Updating
Best Practices tell us that we should always perform a backup before updating plugins or themes. This new feature in WordPress does not perform a backup before updating. If errors or incompatibilities exist, this could lead to that dreaded “white screen of death.” If you update manually, you’ll know immediately that your site is affected. If you let WordPress perform your updates, you may need to realize your website needs to be fixed.
Some website hosts provide a safe way to update. They detect that you’re trying to perform an upgrade and prompt you to make a backup.
Our Commitment to You
First and foremost, we want you to be successful. We strive to provide original content with helpful tips and guidance. We would like to encourage you to subscribe to our newsletter to stay informed.
WordPress exploits aren’t going away. It’s nearly inconceivable to think that all code can be developed to be hack-proof. That’s why we appreciate the people conducting the threat analysis tests and reporting their results to the community.
We are also in the process of launching two new site sections. The first will be a dedicated Support Site, including up-to-date security feeds, WordPress news feeds from around the community, and more. The second new site will be our Learning Zone, where we will offer free WordPress training videos and more. Please let us know your thoughts in the comments or join the Veracity Technologies Facebook Group for more interaction.
