We are extremely grateful for those companies who specialize in tracking and disseminating information on WordPress exploits and other vulnerabilities. Sadly, there is a never ending list and if we find it challenging to stay on top of things, it must be difficult for the solo entrepreneur trying to manage their site while keeping the business going. There are a couple of websites that we monitor for threat analysis. Those include:
We also subscribe to notices from Cybersecurity and Infrastructure Security Agency and those provide additional threat data that may affect us or our clients. There are a lot of bad cyber actors out there and you need to stay on top of all potential security threats. We will discuss some of the threats and list some steps you can take to mitigate your risk.
September WordPress Exploits
In September alone, we counted 46 plugin vulnerabilities and 1 theme vulnerability. That’s more than one a day! You can view the list from iThemes here (September 2020 Vulnerabilities Part 1)and here (September Vulnerabilities Part 2). We identified a few plugins on that list that needed to be updated and/or removed from our site and the sites of the clients we manage.
We use SeedProd all of the time when we begin to build out a site. We keep the master copy in our repository and we keep it up to date so we weren’t impacted. But, if you have a copy, still use it but let your license expire so you aren’t getting updates. You should either uninstall the plugin or repurchase your license.
We have clients that use WP File Manager. We have long thought this approach brings unnecessary risk due to the fact that you access and/or edit files directly on your web server. Uninstall this plugin and learn to use sFTP to manage the files directly if you must do so.
How To Stay On Top
Back in March, we started guiding you through the process of keeping things updated with our post “How Often Do You Update WordPress?” In April, we discussed WordPress Vulnerabilities for the first time. We want to make sure that you understand the risks involved, so we’re curious about how you stay on top of these types of issues. So, we have a little poll to find out if you manage things yourself.
WordPress Auto Updates
As of WordPress 5.5, there is feature that will automatically update plugins. You can choose to enable this on any plugin that the plugin develop has also enabled the feature. If you navigate to your plugins pages, you’ll notice on the ride hand side the ability to enable this feature. You can also enable the auto update functionality for some themes. You need to be aware that there are risks involved.
Backup Before Updating
Best Practices tell us that we should always perform a backup before updating plugins or themes. This new feature in WordPress does not perform a backup prior to updating. If there are errors or incompatibilities, this could lead to that dreaded “white screen of death.” If up update manually, you’ll know right away that your site is affected. If you let WordPress perform your updates, you may not realize your website is broken.
Some website hosts provide a safe way to update. They detect that you’re trying to perform and upgrade and prompt you to make a backup. If Veracity Technologies is your host, we perform a combination process before updating your site automatically.
- Take a visual snapshot
- Perform a backup
- Take another visual snapshot
- If there aren’t any significant visual changes, then our system marks that update as successful
Our Commitment to You
First and foremost, we want you to be successful. We strive to provide original content with helpful tips and guidance. We encourage you to subscribe to our newsletter to stay informed.
WordPress exploits aren’t going away. It’s nearly inconceivable to think that all code can be developed to be hack-proof. That’s why we so appreciate the folks that conduct the threat analysis tests and report their results to the community.
We are also in the process of launching two new site sections. The first will be a dedicated Support Site that will include up to date security feeds, WordPress news feeds from around the community and more. The second new site will be our Learning Zone. We will offer free WordPress training videos and more. Let us know your thoughts in the comments or join the Veracity Technologies Facebook Group for more interaction.