Another day, another hacking story; at least, that’s what it’s starting to feel like around here.
WordPress is no stranger to security issues. In fact, we’ve talked about them repeatedly in the past. The TimThumb Saga, caching plugin vulnerabilities, brute force attacks…the list goes on. Let’s not forget the Heartbleed issue, which extended way beyond WordPress and highlighted security vulnerabilities on the Internet as a whole.
And while security is always improving for WordPress, having yet another issue pop up today makes it abundantly clear that WordPress security still isn’t 100% under control. The issue isn’t WordPress Core though; the issue is with some of the people using WordPress.
But before I get into that, let’s briefly discuss what this latest hacking debacle entailed.
The MailPoet Plugin Hack
In late July, it was revealed that the MailPoet plugin – formerly Wysija Newsletter – had a serious security vulnerability that had the potential to allow an attacker to inject malware, spam, and a variety of other unsavory things into sites that had the plugin installed.
According to Daniel Cid, security researcher and CEO of Sucuri, the vulnerability had resulted in 50,000 websites being hacked. Basically, hackers used it to remotely install backdoors that target the plugin. These backdoors gave hackers free reign, allowing them to create an admin account and everything!
What made this even worse is the malware hackers were using can infect any site that shares a server with a hacked WordPress site. Yikes!
So, to put it plainly, the MailPoet plugin vulnerability was the way hackers were gaining access to websites; any website on the same server as the plugin, in fact. And malware doesn’t just infect; it breaks sites and overwrites files. (Hopefully these people had their files backed up.)
The most recent version of MailPoet has repaired this vulnerability, so if you run anything other than version 2.6.7, you need to update it right away.
Previously, Sucuri discovered other plugin-based vulnerabilities affecting WPtouch, All in One SEO Pack and Disqus Comment System.
All of this leads me to believe that plugin security is a problem, as I’m sure you agree. But talk about making WordPress look bad! What gets my ire up is that these security breaches are so easily prevented.
What’s the solution here? How do you prevent these backdoor entry, malware injecting, site breaking hacks from happening to you? I’ll break it down into the simplest terms I can muster.
Update Your Stuff!
That’s seriously all you need to do. At least in the aforementioned situations, MailPoet and otherwise, simply updating your plugins as soon as they became available would put you in the clear.
According to Sucuri, as much as 80% of vulnerabilities to WordPress are the result of using outdated software – that’s plugins and themes – and using ‘bad’ passwords.
An alarming number of people still use passwords like 123456, by the way, which makes my brain hurt.
So while WordPress gets all of this bad press for not being secure enough and seemingly letting hackers go hog wild over its installations, the truth of the matter is that WordPress users are often responsible for these issues.
When a new security update rolls out, notes are released regarding everything that was fixed from the previous version. This often includes security fixes. This means vulnerabilities to old versions become common knowledge. Can you say hacker field day?
Now, everything would be right as rain if everyone who’d installed this particular plugin updated it as soon as the new version became available, but that’s not what happens. People let their sites sit and don’t update things right away. Meanwhile, hackers get to work immediately on exploiting these now-public vulnerabilities. Which means the longer you wait to update your plugins or themes, the more you leave yourself wide open to an attack.
Seriously – it’s sort of your fault if it happens. And it’s certainly not WordPress’ fault, like so much of the mainstream news coverage likes to convey.
The truth, however, is that WordPress Core hasn’t seen very many security vulnerabilities since its pre-3.0 days. And when issues have been discovered, they’ve been taken care of right away. But again, it’s on the user to update to the latest version to limit their exposure.
Implementing Security Best Practices is Your Responsibility
Whether it’s updating your plugins in a timely manner or setting a password that isn’t password, it’s on you – the WordPress user–- to follow best practices regarding security. It is your responsibility to make sure your site is secure. Plain and simple.
The security “rules” aren’t all that complicated, but if you need a little reminding, here’s our best suggestions:
- Update as updates become available. We’ve discussed this at length already but it bears repeating: update everything on your site as updates become available. That means the core installation, security releases, plugins, and themes. Check your site for update notifications at least once a week to make sure everything is current.
- Listen to that boring old advice about passwords. I know, I know, it’s hard to remember passwords, especially when they have to contain upper and lowercase letters, numbers, and symbols. And it’s even more difficult when they need to be different on every site you have a login for. But just do it already, would you? You’ll thank me when you’re not scrambling to restore your site from a backup because it got wiped out by a hacker.
- Install two-step authentication. Why just stick with a password when you can install two-factor authentication? ManageWP offers this; we have an SMS Two Factor Authentication available in our Business Plan.
- Be selective in who has admin access. Don’t give any old person access to your site’s backend. And even those you’d like to contribute a guest post let’s say, choose their user role carefully. A writer doesn’t need to have full admin access.
- Get rid of plugins/themes you’re not using. Take a few minutes out of your day and uninstall everything you don’t need. Go do it now. I’ll wait. Not only will this make your site less vulnerable to security breaches, it’ll also speed it up. Win/win!
- Backup your site regularly. Failing to back up your site on a regular basis is like playing Russian roulette with your business. I’m going to assume here that you take pride in your website and what you’re offering to the world through it. So why wouldn’t you do everything in your power to protect it? Use a backup solution (ManageWP has that, too) that you can schedule to backup your site automatically. The less you have to think about it, the better.
Though the media loves to make each new security issue related to WordPress out to be the end of the world, the vast majority of the time, the problem has nothing to do with the CMS itself. In fact, it often doesn’t have a whole lot to do with plugins or themes, either. What it does have to do with is you – the user.
In the case of MailPoet and countless others, the vulnerability was only exposed to the public after it had been repaired in an update. Users’ failure to update their sites in a timely manner puts them at risk for all sorts of hacking-related problems. Yeah, it might take a few minutes of your time, but why take the risk when the fix is so simple?
What do you think about this whole MailPoet plugin thing? Where do you think the blame lies for all of these recent hacking incidents – other than the hackers, of course? We’d love to hear your thoughts below!
Image source: Sarah Deer