How to Reduce Security Risks From WordPress Plugins

Plugins are necessary for enhanced functionality of each WordPress site Most WordPress users including very good coders, prefer to use plugins instead of custom codes on their WordPress website. But the more plugins you implement on your website, the higher the risk to potential threats. This post focuses on how to limit the risk of running WordPress plugins and how to generally prevent these kinds of attacks. But before we look at these preventive measures let us examine how WordPress are exploited.

Related posts:

WordPress Maintenance Tasks You Need to Perform Regularly

Useful Tips and Tricks for WordPress Search Engine Optimization

SEO Effects of Changing a WordPress Theme

Common Problems with WordPress Websites and How to Fix Them

How Are WordPress Plugins Exploited?

A quick reminder of the most common security holes and issues WordPress plugins face. Please note that most problems are a combination of two or more types listed below.

Arbitrary file viewing
Instead of allowing only certain file source to be viewed (for example plugin templates) the lack of checks in the code allows the attacker to view the source of any file, including those with sensitive information such as wp-config.php

Arbitrary file upload
Lack of file type and content filtering allows for upload of arbitrary files that can contain executable code which, once run, can do pretty much anything on a site

Privilege escalation
Once the attacker has an account on the site, even if it’s only of the subscriber type, he can escalate his privileges to a higher level, including administrative ones.

SQL injection
By not escaping and filtering data that goes into SQL queries, malicious code can be injected into queries and data deleted, updated or inserted into the database. This is one of the most common vulnerabilities.

Remote code execution (RCE)
Instead of uploading and running malicious code, the attacker can run it from a remote location. The code can do anything, from hijacking the site to completely deleting it.

Related posts:

How to Fix The WordPress White Screen of Death

How to Find and Clean Backdoors in a Hacked WordPress Site

How Not to Hurt Your Visitors When Using the WordPress Maintenance Mode

How You Can Reduce Plugin Vulnerabilities

Vulnerable plugins are the top way that attackers gain access to WordPress sites. Reducing your plugin security risk is one of the most important aspects of protecting your site. There are a number of things you can do to limit this risk.

Use as Few Plugins as Possible

Every plugin you install on your website increases your “attack surface”. You are running more code, so your odds of having a security vulnerability exploited go up. Every plugin you add to your site also represents another developer you are relying on to keep you safe. That includes writing secure code, responding quickly to vulnerability reports and keeping your best interests in mind.

Only Download Plugins From Reputable Sites

If possible we recommend that you limit your plugin downloads to the official WordPress.org plugin directory. A great team of volunteers manages it, alongside a large community of users and security researchers helping out.

If you need to download a plugin from another site, you can use these tips to help determine whether the site is reputable:

  • The site should pass the “eye test”: professionally designed and using clear language to describe the plugin.
  • Look for a valid company name in the footer.
  • Terms of service and a privacy policy readily available.
  • You should be able to find a physical contact address on the contact page or in the terms of service.
  • If you Google the domain name in quotes (e.g., “example.com”) you shouldn’t find any reports of malicious activity. Adding the words “malware,” “exploit” and “vulnerability” to your search may reveal additional information.

Choose Reputable Plugins

The WordPress.org plugin directory makes it really easy to evaluate plugins by providing a nice summary that gives you almost everything you need. Here’s what we suggest you pay attention to:

  • The more recent the last update, the better.
  • Check the number of active installs the plugin has. Some reliable and useful plugins have low install numbers, but you should still examine a plugin carefully if it has a low install base (below 1,000 active installs). It may not be maintained.
  • It should be compatible with the current version of WordPress, though please note that immediately after a WordPress core release, a lot of reputable plugins will show a “Test up to:” value that is behind, as authors finish testing their plugin with the latest WordPress version.
  • The average plugin rating should be high enough to instill confidence. The higher the rating, the better, obviously.

You should also periodically review your installed plugins to make sure they have maintained their good standing.

Delete Plugins Immediately When You Stop Using Them

We have written at length about the fact that the best way to secure data is to get rid of it. The same concept applies to WordPress plugins: removing plugins reduces your risk.

Keep Your Plugins Up to Date

Security vulnerabilities are constantly being discovered in WordPress plugins. In many cases, the details of the vulnerability will be made public, meaning that the entire world is given the information necessary to exploit the security vulnerability. In fact, the large majority of attacks we see on WordPress sites are attempts to exploit well-known security holes, some many years old. Instead of looking for new vulnerabilities, attackers look for site owners who don’t keep things up to date. Unfortunately, they continue to have success. You can stay ahead of the curve by simply keeping things up to date.

Many plugins like Wordfence include an auto-update feature. You should enable this in as many plugins as you can. For those for which you can’t, you should update to the latest version as soon as possible, especially if it includes a security fix.

Replace Abandoned and Removed Plugins

Have you ever started a project or hobby and gotten bored with it? That happens to WordPress plugin authors, too. In fact, it happens a lot. Back in May we wrote a post about abandoned plugins and found that, at the time, over 46% of plugins had not been updated in over 2 years.

Does that mean that they include a security vulnerability? Most likely not. What it does mean is that they represent a much higher risk than actively maintained plugins. We recommend that you not run plugins that haven’t been updated in over 2 years.

Another risk to keep an eye on is plugins that have been removed from the WordPress.org plugin directory. There are many reasons why the WordPress plugin team might remove a plugin, including having a security vulnerability that hasn’t been fixed. Since their policy is to not disclose why they removed a plugin, we recommend that you immediately remove plugins from your site that are removed from the WordPress.org directory.

This spring, we added a feature that alerts you when plugins have been abandoned or removed from WordPress.org.

Install a WordPress Firewall

Every now and then an attacker will discover a zero-day vulnerability in a WordPress plugin and start attacking sites. In these cases, if you are unlucky enough to be running the vulnerable plugin, having the latest version installed will not help protect your site. That’s where a web application firewall, or WAF, comes in. Web Application Firewalls examine the traffic hitting your site, filtering out malicious requests.

The Wordfence firewall includes a robust set of protections against the most common attacks on WordPress websites. These include SQL Injection, Cross Site Scripting, Malicious File Uploads, Directory Traversal and many more. In addition, when a new security vulnerability emerges, our security analysts quickly develop code to protect for that specific threat in the form of a “firewall rule.” These firewall rules are deployed in real time to Wordfence Premium customers via the Threat Defense Feed. Free sites receive them 30 days later.

List of hacked, dangerous & vulnerable WordPress plugins

Plugin Name Vulnerability Type Min / Max Versions Affected
1 Flash Gallery arbitrary file upload 1.3.0 / 1.5.6
360 Product Rotation arbitrary file upload 1.1.3 / 1.2.0
Tevolution arbitrary file upload 2.0 / 2.2.9
Addblockblocker arbitrary file upload 0.0.1
Ads Widget remote code execution (RCE) 2.0 / n/a
Advanced Access Manager privilege escalation 3.0.4 / 3.2.1
Advanced Ajax Page Loader arbitrary file upload 2.5.7 / 2.7.6
Advanced Video Embed Embed Videos Or Playlists arbitrary file viewing n/a / 1.0
Analytic remote code execution (RCE) 1.8
Analytics Counter PHP object injection 1.0.0 / 3.4.1
Appointments PHP object injection 1.4.4 Beta / 2.2.0
Asgaros Forum settings change 1.0.0 / 1.5.7
Aspose Cloud Ebook Generator arbitrary file viewing 1.0
Aspose Doc Exporter arbitrary file viewing 1.0
Aspose Importer Exporter arbitrary file viewing 1.0
Aspose Pdf Exporter arbitrary file viewing 1.0
Attachment Manager arbitrary file upload 1.0.0 / 2.1.1
Auto Attachments arbitrary file upload 0.2.7 / 0.3
Bbpress Like Button SQL injection 1.0 / 1.5
Bepro Listings arbitrary file upload 2.0.54 / 2.2.0020
Blaze Slide Show For Wordpress arbitrary file upload 2.0 / 2.7
Brandfolder local file inclusion (LFI) 2.3 / 3.0
Breadcrumbs Ez remote code execution (RCE) n/a
Candidate Application Form arbitrary file viewing 1.0
Cardoza Facebook Like Box arbitrary file upload 2.8.9 / 2.9.1
Category Grid View Gallery arbitrary file upload 0.1.0 / 0.1.1
Category Page Icons restricted file upload 0.1 / 0.9.1
Cherry Plugin arbitrary file upload 1.0 / 1.2.6
Chikuncount arbitrary file upload 1.3
Cip4 Folder Download Widget arbitrary file viewing 1.4 / 1.1
Cms Commander Client PHP object injection 2.02 / 2.21
Contus Video Gallery arbitrary file viewing 2.2 / 2.3
Cookie Eu remote code execution (RCE) 1.0
Cp Image Store arbitrary file viewing 1.0.1 / 1.0.5
Cross Rss arbitrary file viewing 0.5
Custom Content Type Manager remote code execution (RCE) 0.9.8.8
Custom Lightbox possible remote code execution (RCE) 0.24
Cysteme Finder arbitrary file viewing 1.1 / 1.3
Db Backup arbitrary file viewing 1.0 / 4.5
Delete All Comments arbitrary file upload 2.0
Developer Tools arbitrary file upload 1.0.0 / 1.1.4
Disclosure Policy Plugin remote file inclusion (RFI) 1.0
Display Widgets remote code execution (RCE) 2.6
Dop Slider arbitrary file upload 1.0
Download Zip Attachments arbitrary file viewing 1
Downloads Manager arbitrary file upload 1.0 Beta / 1.0 rc-1
Dp Thumbnail arbitrary file upload 1.0
Dropbox Backup PHP object injection 1.0 / 1.4.7.5
Dukapress arbitrary file viewing 2.3.7 / 2.5.3
Duplicate Page And Pos spam injection 2.1.0 / 2.1.1
Ebook Download arbitrary file viewing 1.1
Ecstatic arbitrary file upload 0.90 (x9) / 0.9933
Ecwid Shopping Cart PHP object injection 3.4.4 / 4.4.3
Email Subscribers information disclosure 1.2 / 3.4.7

Share this post

Comments (0)

Leave a comment


Powered by Simple Blog