We all recognize WordPress as a wonderful blogging platform that enables anyone, almost completely regardless of technical ability, to publish their words to the Internet. And I’m sure we can all agree that we do not want our blogs to be compromised by an unscrupulous hacker.
Or to put it more plainly, you don’t want to type in one of your blog’s URLs tomorrow and be presented with a spammy “You Are A Winner!” message, or a redirect to a completely unknown website. If you want your blogs to be successful, such an outcome can be potentially disastrous.
If you don’t keep all of your themes and plugins up to date, you are drastically increasing the chances of someone using your blog for their own devious purposes. I don’t have to rely upon anecdotal evidence to back up this assertion, because there are two recent stories that prove my point effectively.
Although TimThumb sounds delightfully innocent, the script was at the center of a huge security breach that exposed over a million WordPress sites to the risk of compromise.
TimThumb is a simple photo-resizing utility that is used by a huge number of plugin developers. I will skim over the technical details, but in layman’s terms, the script’s vulnerability allowed any resourceful hacker to insert code into, and therefore wrest control of, any WordPress site that utilized the script. Which was in fact any site that included the TimThumb script in any active or inactive theme or plugin.
In June of this year three popular WordPress plugins (AddThis, W3 Total Cache, and WPtouch) were edited in the official WordPress plugin repository. Edited by an unauthorized party, I should add.
The code added to the plugins acted as a backdoor to any blog that they were installed on. In much the same way as the TimThumb incident, a hacker could potentially use the backdoor to wreak havoc on your blog.
Updates Are The Solution
It is clear that we cannot prevent plugins from being hacked, and we may well inadvertently install “vulnerable” code on our sites in the future. Those are unfortunate facts. However, all we need to do to limit our exposure to risk is rely upon the extremely quick actions of the WordPress community and ensure that we subsequently do our bit.
In both incidents reported above, the response from the WordPress community was quick and efficient. The threats were eliminated very quickly. The real problem was that many people simply did not update their themes and plugins. As such, their sites remained vulnerable.
Because many people have multiple WordPress blogs, it takes them an age to manually access each dashboard and run through the updates. It can be discouraging enough to not do at all.
Fortunately, that is where ManageWP comes in. Because you can handle all of your themes and plugins from one central dashboard, all of those updates can be managed with literally the click of a button. As such, you can keep your blog portfolio far more secure, and highly reduce the risk of any compromise that may severely affect the popularity or trustworthiness of your blogs.
Creative commons image courtesy of Zakwitnij!pl Ejdzej & Iric
LOL- Love the picture and scary how he looks like he already knows what he is doing!
Your ManageWP app is just amazing, efficiency raised to the 10th power!
Thanks, great to hear that!
People should remove unused plugins and theme as well. I test a lot of plugins and I never add “new” plugins where the last version is older than a year.
Absolutely Olaf – great advice. The less opportunities there are for your site to be compromised, the better.
This is exactly what the “minimal disclosure” security policy entails in just about every web application. The less you disclose (i.e. plugins, themes, extras), the less potential security holes you leave behind. That’s also why I configure my server not to show the version of Apache it’s running; not even the fact it runs Apache appears at all.