How to Secure Your Website Against Vulnerable Plugins

June 8, 2018 8:15 am

WordPress has recently deleted 10 highly insecure plugins from its plugin repository. These plugins were developed for the WooCommerce e-commerce platform and have already been uploaded to approximately 20,000 WordPress installations. While these plugins can no longer be downloaded from the repository, they are not automatically disabled and are most likely still running on all the aforementioned WordPress installations.

WordPress logo

These plugins have security issues that make them vulnerable to hackers, such as stored cross-site scripting (XSS), SQL injection, and cross-site request forgery problems. All ten were developed by the same vendor – Multidots Inc for WooCommerce. This means that all the sites that use these plugins generate sales and operate with highly personal data, credit card numbers, and other sensitive information. Some of the plugins affected include WooCommerce Category Banner Management and WooCommerce checkout for digital goods.

Threatpress, a company that creates high-tech security products and services for WordPress websites, reported the 10 plugins, after discovering that these vulnerabilities can be exploited by hackers upload shells, crypto miners, key loggers, and other malicious software. The plugins can also be used to deface an entire website. WordPress immediately responded to the report and deleted the plugins to secure users against possible data leaks and cyber-attacks. However, there is currently no way to inform all affected users still using the plugin since WordPress only shows information about available plugin updates and does not provide information about closed plugins in the same way.

Securing Your WordPress Website

One of the first things you need to do to protect your WordPress website is to secure the way that users can log in to your site. For example, you should limit the number of login attempts to prevent brute force hackers. Once an attack happens, you will be immediately informed that someone is trying to access your site without the proper authorization. You also need to secure your password. Enable two-factor authorization to obtain a higher level of security since this process is essentially like having two different sets of passwords for your site.

Second, make sure that you delete old plugins. If you are not using a plugin anymore, you should not leave it up and leave potential hackers with a backdoor entrance to your site. Delete old plugins immediately and reduce the likelihood of security issues in the future. Furthermore, make sure that you update your existing plugins. Remember those old plugins are not the only ones that present a potential security threat. Even a brand new one can constitute a security problem if it is not regularly updated. The developers of these plugins often provide updates as a way to beef up a plugin’s security as well as address any potential vulnerabilities.

Finally, premium plugins are often worth the money you spend on them. When you try to save money by only choosing free plugins, especially if you have an e-commerce site, you might end up spending more in the long run. Plugins are like the feature, if it is too good to be true, it is probably not worth your time and money. In many cases, the free and pirate versions of premium plugins contain malicious software that can damage your website.