Wordfence reports up to 90,000 attacks on WordPress sites every minute.
That is clearly a problem.
Both for me, as someone who maintains websites and for you, as someone who runs or owns a website.
So what can we do about it?
Well the first step to solving a problem is understanding it. And today, in this article we are going to focus on understanding one of the causes of so many of these attacks, vulnerable plugins.
What is a plugin?
Plugins, the giver of so much functionality yet so much potential grief are bundles of code that provide extra functionality to your WordPress based website. They do this by plugging in (get it?) to your website, essentially inserting themselves in your website and becoming part of your websites environment.
And to say there is a lot of them would be quite the understatement. In fact, according to the WordPress plugin directory itself there are 58,392 that currently exist.
That’s a whole lot of guests you are inviting to your website by installing them. And just like inviting guest to a real party, that means that there is always potential for someone unwanted slipping through.
What threat do plugins pose?
Plugins pose a threat to your website through plugin vulnerabilities.
What is this you may ask? Quite simply it is an issue in the plugins code that gives hackers an opportunity at exploiting your website. How they do this depends on the vulnerability type but some commonly occurring ways are through Cross Site Scripting and SQL Injection.
Cross Site Scripting (XSS)
Allows attackers to inject malicious client-side script into web pages that are executed by victims when they visit the vulnerable website.
SQL Injection
Allows the attacker to inject malicious SQL statements through the vulnerable website. Thereby giving the attacker access to the websites database.
Just because the vulnerability exists does not guarantee that it will be exploited. Leaving your homes door unlocked does not guarantee that your house will be robbed but it does, quite literally leave the door open to those seeking the opportunity to do so.
In the same way, plugin vulnerabilities leave the door open to your website.
And that gets me thinking, I doubt any real burglar would let an open door opportunity pass. So why would a burglar of the digital kind aka a hacker say no to it either?
What can we do about it?
Thankfully, the answer to that is reasonably straightforward in definition: Keep your plugins up to date.
Unfortunately, that same answer can also be complicated in execution.
Just a fraction of the code that can be contained in a plugin.
As we have already learnt plugins provide us with functionality. This functionality can range from a simple contact form through to a whole eCommerce solution. This means that if a plugin is updated the functionality needs to be thoroughly tested too.
That may seem easy enough, submit a test form submission or submit a test order. But there are many moving parts and that means you need to know where to look and what to test. Not everyone has the time or confidence to do that.
If that sounds like you and the thought of updating plugins, changing the code on your website makes you uncomfortable then get in touch with us today and ask about our SLA packages.
