The Register is reporting that a security problem in the popular InfiniteWP plugin may have exposed over 300,000 websites to being hacked. The issue, which has already been patched by the plugins maker, allows a nefarious hacker to gain admin access to a WordPress site using the plugin without an admin password.
Whilst the article reports the number of affected sites at around 300,000 the plugin maker’s website lists over 500,000 installations. Given that the vulnerability may have already been exploited on websites that are now patched, the footprint of this issue could easily exceed that number.
Not the first time, not the last time for WordPress
The enormous popularity of WordPress makes it, and its most popular plugins, are prime target for website hackers. A single vulnerability in either the core code or a popular plugin can be exploited on a huge number of websites, including websites based on WordPress being used for eCommerce or other applications. It’s a problem that all large system vendors face and is a serious problem for plugin developers and for individuals and businesses running WordPress.
What do you do right now if you’re running InfiniteWP?
If you’re running InfiniteWP, you need to patch your site immediately. You can do this through your WordPress control panel as the issue has already been resolved by the plugin makers.
Long term, issues like this are a reminder that website owners need to be increasingly proactive in maintaining site security.
What can you do long term? Five Tips for safer WordPress sites (that also work for most other CMS)
Patch Early, Patch Often
If you are running WordPress, regular updates to your core code and plugins are essential. Make sure you know how to do this or have a developer you are working with who you trust to do this in a timely fashion.
Beware of Branching
Sometimes a developer will take an existing plugin and alter its code – creating their own “branch”. To avoid their changes being overwritten by automatic updates to the original plugin, they install their version of the plugin under a different name. Sensible, except for the fact that their version no longer gets any bug fixes or security updates from the original.
Branching should not be taken lightly, but often developers do it as a short-cut without thinking about the long term implications.
Invest in Backups
Accept that problems happen and make sure you have a backup solution in place so that you can roll your website back to a simpler, happier time should the worst happen. A backup solution gives you a fall back position not only for the nightmare scenario of having your website is hacked and vandalised but also if your web host goes belly up without warning and you need to move to a new hosting environment.
Invest in Security and Penetration Testing
There are a wide range of services available online that will scan your website for vulnerabilities either as a one-off service or as an ongoing arrangement. If you are serious about the security of your website, this is no longer an “optional extra” – it’s something you should be doing.
Ask yourself – Does my website have to run on WordPress?
OK, so this one is more drastic but it needs to be said – there are a lot of websites running on WordPress for no good reason. Just like the barber who cuts everyone’s hair the same regardless of what they ask for, there are lots of developers who know and trust WordPress and use it for everything – even when it isn’t the best tool for the job.
The change doesn’t have to be as drastic as replacing your entire website – tools such as Gatsby allow developers to build faster, more robust websites that can still draw content from a WordPress backend but without exposing the system to the wider internet. Referred to as “headless WordPress” sites, these sites continue to use the WordPress CMS “back office” but deliver the front end of the website through a customised layer.
The importance of support arrangements
One last tip… If you’re working with a web developer or digital agency of any type, make sure you understand what the long term support arrangements are.
I’ve worked with a number of clients recently who have paid for a website project that has no ongoing support arrangement built into the contract (in more than one instance, there was no contract at all). Websites are projects without end – like your house or your car they require maintenance, servicing, and the occasional lick of paint and redecoration to stay at their best.