One of the beautiful things about WordPress is that you can add in plugins to handle specific tasks that you want to do. Rather than the core software being bloated for every possible scenario; shopping carts, galleries, auctions, team bio, event planning, etc., WordPress is designed so that you get to pick and choose what you want, when you want it.
The downfall of this system however is that a different author creates every item you want to use, and over time, those authors may get bored of their plugin and no longer update it. In many situations, the plugin was FREE to use, and the authors just stop responding. Sometimes the community jumps on this and proclaims, “you get what you paid for,” and while we can somewhat agree, it’s never fun to have something just no longer work overnight.
Plugin exploits happen all the time, it’s just part of how software evolves, but more often than not, it’s the website owners that failed to update the plugin to the latest branch that left their website vulnerable to begin with.
This week, Conor and Kimberly dive into some recent plugin exploits, where to get information on potential exploits, and how you can mitigate things before it gets too bad.
Check out the video from a recent Facebook Live. Don’t forget to subscribe to the YouTube channel for more videos, and of course, check out our Facebook page so you can be alerted each week when we go live with another installment (currently Fridays at 1pm Central Time)
Want to skip around the video?
1:00 – if you’re looking to get into Facebook Live and videos etc, there’s a lot of work, but it’s worth it!
4:35 – We’re talking about plugins today, and specifically WordPress plugins. WordPress plays well with SEO which is why we use it so much
5:50 – Test your plugins, but remove the ones that don’t work. They can slow your site, and make it vulnerable, even if not active
7:35 – Generate your backups, and update your plugins. If you don’t upgrade, you leave things vulnerable
8:20 – What are plugins? WordPress is the core software, each additional “feature” is usually considered a plugin. Shopping carts, galleries, etc
9:23 – When a plugin is not active, that just means WordPress isn’t using it. But since the files exist on the server, you can potentially exploit the site
10:20 – Pay attention to sliders and moving features. Each of those load a jQuery file, and many times people load multiple sliding banners and that means the same jQuery file has to be loaded several times – each one leading to a slowdown on the site
12:05 – don’t be afraid to reach out to plugin developers to request features or ask questions about why something might slow down something else
13:30 – There were 3 major exploits released
– “Duplicator 1.3.28 and less is exploitable” – over 1 million installations
– “EZ Property Listings”
– “WP-Central” is a control panel to allow designers to access sites (WP-Central 1.5.1 and lower is exploitable)
15:18 – We perform plugin management for clients. If you need routine updates or one-off, let us know
16:00 – if you update plugins yourself, generate backups. Here are the plugin update steps we recommend – do them individually
17:25 – WordPress and websites should be updated regularly. It’s just like changing the oil in a car. Do it on a regular basis.
18:00 – Run your updates on a staging site when possible, or run updates in separate folders or accounts. It’s time-consuming, but it’s your best option!
19:55 – How do you find out about plugin updates? We use a few sites
– Wordfence monitors plugins along with a firewall etc. We strongly recommend it.
– Sucuri – Website Security, Plugin Monitoring
– WPvulndb – WordPress Vulnerability Database – They monitor potential exploits
23:20 – Keep a Google Doc file of all plugins you installed and keep a list of when various versions were updated. It will help your designer later if there’s a hack
25:40 – if your website does get hacked, do not go in and start deleting files or updating plugins. Reach out to us and we can assist.
27:00 – To determine if a plugin is worth installing or if it can be trusted, check the reviews at WordPress Plugin’s site, see how the support is being answered. If there’s no new support responses or lack of updates, we’d normally recommend staying away from the plugin.
Join Us Each Week For A New Facebook Live
Every week, Conor & Kimberly have a Facebook Live that is open to everyone. We usually have a topic pre-planned, but we’re always open to new discussions during the broadcast!
If you have a topic that you’d like us to cover, drop us a note and we’ll do our best to get it added to the schedule!