WordPress plugins, and more precisely their security is one of the most common causes of website hacks. There are more than 55,000 plugins available on the WordPress.org plugin directory. More of them are available at Codecanyon and other similar plugin directories or numerous plugin vendor sites. Checking all the code lines of each plugin is impossible. No one knows how much of them are vulnerable. Vulnerable plugins periodically identified by WordPress community or WordPress security companies.
In most cases, these vulnerabilities fixed as soon as possible. But sometimes WordPress Security Team closes vulnerable plugins if there are no updates from authors within a specified period or plugin poses a high threat. And here we have a huge problem. By closing a vulnerable plugin WordPress Security Team protects all users from downloading an unsafe software, but what about those who already have those plugins installed on their websites?
Closed WordPress plugins by Multidots
I will write a separate post about this case, but now I want to use it as an example. Recently WordPress security company ThreatPress found ten vulnerable WordPress plugins designed for WooCommerce function extension. They notified Multidots Inc. about the security issues of their products. Later ThreatPress research team informed WordPress Security Team since there were no updates for several weeks. All ten plugins – closed.
Well, from the first sight it looks good. Vulnerable products are inaccessible for download. But on the other hand, there are more than 19,000 active installs of these plugins. It means that several thousand websites left with vulnerable software running without any notification. Moreover, since all these plugins were designed to work alongside the WooCommerce, all of them perform operations related to sensitive data like personal data, credit card numbers and more.
Now imagine how much damage can be done by a hacker knows how to hack at least 10,000 online stores powered by WooCommerce / WordPress.
Now Multidots are actively updating their plugins to restore them back to the plugin repository. Anyway, they took too long with updates, and thousands of websites were under real threat for a long time.
Problem of closed WordPress plugins
As I said before, the problem exists in managing dangerous situations with closed WordPress plugins. WordPress has a perfect system that could notify you about available updates to any WordPress plugin or theme that is available on the WordPress plugin or theme repository. It even could make more sophisticated checks and inform you about the available updates and their compatibility with other products that you have installed on your website.
However, WordPress still doesn’t provide notifications about the problems with plugins. There are no notifications about their status, and there are no “special” notifications about security-related fixes applied to plugins. Users not notified about the threats and it makes the whole situation worse. You can take any plugin that been updated recently with the security fix, search for sites with this plugin by using relevant Google Dorks, and you’ll find dozens of the sites running the insecure version of this particular plugin. Since all notifications about updates look the same, there is no rush from users to update those vulnerable plugins asap.
The most “funny” thing is that closed plugin will stay on your website as “up to date”. If you don’t check its status through the WordPress plugin repository, you’ll always think that everything is OK with it.
I hope soon we will see some WordPress improvements in this area. It would be enough to inform WordPress users about the critical security updates applied to plugins that are used by their websites and of course about the plugins that were closed due to security issues. The first step in solving a problem is recognising there is one.