© Nead, LLC

website design logo black

How Using Abandoned WordPress Plugins Can Lead to a Data Breach

In your WordPress admin panel, you’ve probably seen notifications that some of your plugins have updates available. How long does it take for you to update those plugins? Do you update right away?

Some updates include new features, but many plugin updates include patches, which make those updates far more important to install immediately.

Patches exist to resolve vulnerabilities

When software developers become aware of a security vulnerability, they create a patch that end users can download to secure their software installation. WordPress plugin developers distribute patches through plugin updates, so it’s important to update your plugins immediately.

Vulnerable WordPress plugins can cause a data breach

Data breaches are constantly on the rise and carry some hefty fines. Depending on the data protection laws that govern your industry, a data breach can cost you thousands or millions of dollars in fines.

Statistics show that unpatched vulnerabilities cause one in three data breaches. In addition, they can also impact your site’s load speed. And unpatched WordPress plugin vulnerabilities are exploited by hackers all the time.

For instance, the popular WP Fastest Cache plugin was found to have multiple vulnerabilities that allowed hackers to access the victim’s WordPress database. A WordPress database includes usernames and passwords that can grant a hacker full access to a website.

Another vulnerability in this plugin allowed hackers to perform various actions, including storing malicious JavaScript code on the victim’s website.

It was the developers of Jetpack – another WordPress plugin – who discovered the WP Fastest Cache vulnerabilities. The vulnerabilities were immediately fixed and a patch was released with WP Fastest Cache v. 0.9.5. However, users must download the update to secure their website.

Most cyberattacks are caused by user error, but…

Although most cyberattacks are caused by user error, users have far less control over plugins that are no longer supported. For instance, a user can implement an iron-clad cybersecurity strategy and still get hacked on the back end if a plugin is vulnerable and there is no available patch.

Plugins that are no longer supported don’t have any updates to install. When you use an unsupported plugin, you’re risking a data breach.

Not all WordPress plugin developers release patches

There are only two reasons plugin vulnerabilities remain unpatched: the developer never created a patch or the end user never installed the patch.

Sometimes, developers don’t create a patch because they’ve abandoned their project. Abandoned WordPress plugins are more dangerous than simply skipping a feature update.

If you choose to skip an update that only adds features, you simply won’t get the latest features. If you can’t update a plugin because the developer has abandoned their project, you won’t be able to secure your plugin.

Abandoned plugins collect vulnerabilities over time as hackers find more ways to exploit the plugin. The longer a WordPress plugin remains abandoned, the more vulnerabilities will be discovered.

Once hackers know about the vulnerabilities connected to abandoned plugins, they’ll search high and low for websites with active installations to exploit.

Popular WordPress plugins can be vulnerable, too

Don’t make the mistake of believing that your plugins are bulletproof just because they’re popular. According to BlogVault.net and other sources, these popular WordPress plugins have been targeted with attacks:

  1. WooCommerce – 5m+ installations
  2. Yoast SEO – 5m+ installations
  3. SEOPress – 100k+ installations
  4. Elementor – 5m+ installations
  5. W3 Total Cache – 1m+ installations
  6. Contact Form 7 – 5m+ installations
  7. WordFence – 4m+ installations

These popular plugins are frequently exploited by hackers using cross-site scripting attacks (XSS), SQL Injection, RCE attacks, File Deletion, Arbitrary File Upload, and random privilege escalation attacks.

The developers who work on these plugins release frequent updates that include feature updates and patches. If you use these, or any other plugins, make sure you update them each time a new update is released.

7 Steps to secure your WordPress plugins

There are several steps you can take to keep your WordPress plugins secure and mitigate the damage after being compromised.

1. Delete unnecessary plugins

If you’re not using a plugin, you might keep it and just skip the updates thinking it’s unnecessary since you don’t actually use that plugin. This could lead to a data breach. A vulnerable plugin that remains on your web server is dangerous whether or not you use the plugin.

Delete all unnecessary plugins, don’t just deactivate or uninstall them. Remove the plugin from your website entirely. Some vulnerabilities allow hackers to perform exploits through inactive and uninstalled plugins since the files still remain on the server.

Hackers know the standard path to WordPress plugins and won’t hesitate to run software that scans websites for plugins with known vulnerabilities.

Switching themes can result in unused plugins

Have you switched themes at any point in time? If so, you might have some plugins that you don’t need anymore. Many themes come packaged with plugins that are only required for that particular theme.

Review your WordPress plugins by navigating to the Plugins section from the main administrative area. First, look at all of your activated plugins to make sure you need each one. If you don’t know what a plugin does, visit the developer’s website for more information.

If you’re still not sure what role a plugin plays on your website, contact your current theme’s developer and ask if the unknown plugins are part of their theme. Or, contact your website developer and ask them to look at your plugins to determine if any are not being used.

Once you’re sure you don’t need certain plugins, delete them right away. Make sure to delete them from inside your admin panel by deactivating, uninstalling, and then deleting the plugin. This ensures plugin files will be removed from the database, too.

2. Check to see how frequently your plugins are updated

It’s hard to say exactly how often a plugin should be updated in order to be considered secure. Some developers issue weekly or monthly updates, but many are updated at least every couple of months.

To check out how often a plugin is updated, head over to WordPress.org and search for your plugin. Once you find your plugin, review the Changelog under the “Development” tab. For example, the Changelog for Akismet shows several updates released in 2020 and 2021 with a detailed description of what was released.

If your plugin isn’t available on the WordPress.org website, find the developer’s website and look for a Changelog.

3. Find alternatives for stale plugins

If you discover a plugin that hasn’t been updated in more than six months, consider using an alternative. Six months is a long time for software to go without an update. However, it depends on the complexity of the plugin.

If you’re hesitant to swap out your plugins for something new, test the new possible plugins on a sandbox installation of WordPress. If you don’t know how to create a sandbox installation, talk to your website developer and they’ll set you up with one.

4. Immediately delete plugins you don’t like

Have you ever downloaded a plugin to test, but it didn’t meet your needs? Make sure you immediately delete plugins you don’t want. Leaving plugins on your server is a quick way to invite exploitation.

5. Password-protect your admin directory

Administrative login credentials aren’t secure enough. What happens if someone exploits a plugin vulnerability, gains access to your WordPress database, and steals your admin username and password?

Password-protecting your admin directory will ensure nobody can access your site, even with your login credentials. To log into your site with stolen credentials, someone would have to first hack your actual web server to gain access to your WordPress admin directory.

For example, you’d want to password-protect the directory: www.YourSite.com/wp-admin. This can be done from your website’s control panel (cPanel, Plesk, or your webhost’s native control panel system).

6. Keep your eyes open for signs of compromise

Although discovering the signs of a compromised site means it’s too late to prevent the initial attack, it’s crucial to prevent the attack from going further.

Look for the signs listed in this Hacker News article, which includes PHP file names consisting of random letters and numbers. Although the article discusses a hack specifically targeting WordFence, these files are a common indicator that a WordPress website has been hacked.

7. Limit the number of plugins you use

Using fewer plugins is the best way to prevent being exploited by vulnerabilities. There’s always a possibility that your site could be attacked before the plugin developer is aware of, or creates a patch. The less plugins you have, the less likely you are to get attacked.

Using too many plugins can also slow down your site, so it’s a win-win on all accounts.

Do you need a secure WordPress website? Custom plugins? We can help!

Do you wish someone would secure your WordPress website for you? We can. We can also develop custom WordPress plugins that meet all of your needs that aren’t being met by stock plugins.

At website.design, we specialize in building beautiful, professional, and secure WordPress websites for clients in any industry. Contact us today for a free quote – we’d love to work with you!

Ryan Nead

Leave a comment:

Top