Every day you are told to keep your WordPress site(s) up to date – but why? Is it really necessary to ensure the site is running the latest version and what happens if you don’t…….
Why you need to update
Just like your computer, laptop or mobile phone you will have to run updates every now and then. These updates could be for a range of reasons for WordPress the main reason is bug fixes and, more importantly security fixes. White hat hackers and security companies such as Sucuri gather a wealth of information and actively look at WordPress, plugins and themes for security issues. When they find one they reach out to the developers with details of the issue and ask them to fix the flaw. Only once the patch has been released will the details of the flaw be publicly released. This is not always the case though and it is not uncommon for the flaw to published prior to a patch being developed. If the developer does not patch the plugin WordPress may close the plugin meaning that it cannot be downloaded from the plugin repository – but this comes with a different set of issues.
Lets look at a recent security fix for a plugin to understand the reason why you need to update. Taking a look at
WPScan Vulnerability Database a recent plugin found with a vulnerability was the Ultimate Member plugin, the security issue has been fixed but the details have now been published:
“The Ultimate member plugin version 2.0.45 and lower is affected by multiple vulnerabilities, among them is a critical vulnerability allowing malicious users to read and delete your wp-config.php file, which can lead to a complete website takeover.”
This means that if you have a WordPress site with Ultimate Member plugin below version 2.0.46 installed then the site has a critical vulnerability and every hacker out there knows how to attack it.
The issue with this plugin was detected by Sucuri and reported to the developers who released a patch. Any of our clients running this plugin would have received the update as per the weekly update cycle. You can see the timeline below on how Sucuri ethically notified the developers and waited for them to release a patch prior to informing the world:
- 2019/05/07: Initial disclosure
- 2019/05/08: Partial patch released (2.0.45)
- 2019/05/10: Complete patch released (2.0.46)
- 2019/05/13: Details published.
It’s not always possible for the developer to fix the issue, they may have stopped developing the plugin or may simply not be aware that there is an issue. When this happens WordPress may close the plugin to stop new downloads and installations. However, if details of the security flaw get published then the plugin should be removed from your site(s) as soon as possible. One such plugin is the yuzo-related-post plugin. Although the plugin cannot be downloaded from the repository any more there are 60,000+ installs according to the WordPress repository. Attacks are already being reported.
How hackers use this information
Hackers follow the same security companies as we do, they get the same alerts we do so they know what to look for and how to attack the site. For example full details of the hack for Ultimate Plugin can be found on the web so the hackers just modify their bot’s to check for the vulnerability. “My clients are small, no one is going to want to hack their website.” is something we hear – it does not matter how big or how small the client is hackers will want to take control and use it to benefit their cause, the site could be used to simply send out spam emails, take part in a DDOS attack or simply host fake or malicious, malware infested pages and posts.
How to protect your site
Carrying out regular updates on your site is just one way of protecting your site, we recommend that your sites are checked and updated at least once a week. A backup is the best security you can have, if you do not log on to your site to check for the update prior to it being hacked then the quickest and easiest way to get your site back up and running is a quick restore from the most recent backup.
By far the most effective way to protect your site is to use a cloud based Web Application Firewall or WAF. Our Advanced Plus Care Plan includes the Sucuri WAF as standard. The advantage of a WAF is the virtual patching, when vulnerabilities are found the tech guys over at Sucuri automatically patch the WAF giving you extra time to fix your site.
What you should do
You should ensure you have regular backups of your WordPress site and you should update your plugins, themes and the WordPress core on a regular basis. You should also regularly check your plugins and the developers to ensure they are no issues that you need to be aware of.
Subscribe to the WPScan vulnerability alerts service at https://wpvulndb.com/subscribers/new and sign up for security updates from companies such as Sucuri.
Alternatively sign up for a RocketWP Care Plan today and let us worry about the security of your site(s).
More information
You can find more information about the Ultimate Member Plugin vulnerability including all the technical information on Sucuri’s blog, https://blog.sucuri.net/2019/05/multiple-vulnerabilities-in-the-wordpress-ultimate-member-plugin.html along with details of Attacks on Closed Plugins https://blog.sucuri.net/2019/04/attacks-on-closed-wordpress-plugins.html