Website Plugin Updates - WordPress Management Services - Episode 94
Estimated Reading Time: 5 minutes

WordPress Plugin Exploits – How Do We Detect Them?

One of the beautiful things about WordPress is that you can add in plugins to handle specific tasks that you want to do. Rather than the core software being bloated for every possible scenario; shopping carts, galleries, auctions, team bio, event planning, etc., WordPress is designed so that you get to pick and choose what you want, when you want it.

The downfall of this system however is that a different author creates every item you want to use, and over time, those authors may get bored of their plugin and no longer update it. In many situations, the plugin was FREE to use, and the authors just stop responding. Sometimes the community jumps on this and proclaims, “you get what you paid for,” and while we can somewhat agree, it’s never fun to have something just no longer work overnight.

Plugin exploits happen all the time, it’s just part of how software evolves, but more often than not, it’s the website owners that failed to update the plugin to the latest branch that left their website vulnerable to begin with.

This week, Conor and Kimberly dive into some recent plugin exploits, where to get information on potential exploits, and how you can mitigate things before it gets too bad.

Check out the video from a recent Facebook Live. Don’t forget to subscribe to the YouTube channel for more videos, and of course, check out our Facebook page so you can be alerted each week when we go live with another installment (currently Fridays at 1pm Central Time)

Want to skip around the video?

1:00 – if you’re looking to get into Facebook Live and videos etc, there’s a lot of work, but it’s worth it!
4:35 – We’re talking about plugins today, and specifically WordPress plugins. WordPress plays well with SEO which is why we use it so much
5:50 – Test your plugins, but remove the ones that don’t work. They can slow your site, and make it vulnerable, even if not active
7:35 – Generate your backups, and update your plugins. If you don’t upgrade, you leave things vulnerable
8:20 – What are plugins? WordPress is the core software, each additional “feature” is usually considered a plugin. Shopping carts, galleries, etc
9:23 – When a plugin is not active, that just means WordPress isn’t using it. But since the files exist on the server, you can potentially exploit the site
10:20 – Pay attention to sliders and moving features. Each of those load a jQuery file, and many times people load multiple sliding banners and that means the same jQuery file has to be loaded several times – each one leading to a slowdown on the site
12:05 – don’t be afraid to reach out to plugin developers to request features or ask questions about why something might slow down something else
13:30 – There were 3 major exploits released
– “Duplicator 1.3.28 and less is exploitable” – over 1 million installations
– “EZ Property Listings”
– “WP-Central” is a control panel to allow designers to access sites (WP-Central 1.5.1 and lower is exploitable)
15:18 – We perform plugin management for clients. If you need routine updates or one-off, let us know
16:00 – if you update plugins yourself, generate backups. Here are the plugin update steps we recommend – do them individually
17:25 – WordPress and websites should be updated regularly. It’s just like changing the oil in a car. Do it on a regular basis.
18:00 – Run your updates on a staging site when possible, or run updates in separate folders or accounts. It’s time-consuming, but it’s your best option!
19:55 – How do you find out about plugin updates? We use a few sites
– Wordfence monitors plugins along with a firewall etc. We strongly recommend it.
– Sucuri – Website Security, Plugin Monitoring
– WPvulndb – WordPress Vulnerability Database – They monitor potential exploits
23:20 – Keep a Google Doc file of all plugins you installed and keep a list of when various versions were updated. It will help your designer later if there’s a hack
25:40 – if your website does get hacked, do not go in and start deleting files or updating plugins. Reach out to us and we can assist.
27:00 – To determine if a plugin is worth installing or if it can be trusted, check the reviews at WordPress Plugin’s site, see how the support is being answered. If there’s no new support responses or lack of updates, we’d normally recommend staying away from the plugin.

Join Us Each Week For A New Facebook Live

Every week, Conor & Kimberly have a Facebook Live that is open to everyone. We usually have a topic pre-planned, but we’re always open to new discussions during the broadcast! 

If you have a topic that you’d like us to cover, drop us a note and we’ll do our best to get it added to the schedule!

Share this post

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email
Check Out These Other Articles

What Goes Into a Successful Business Website Design?

If you need a website for your Omaha business, it’s important to understand that doing this project right requires a lot of work. Although that may sound intimidating, it doesn’t have to be. As long as you choose the right Omaha web design company to work with, you can get the results you want without feeling stressed throughout the process. At Big Red SEO, we specialize in creating websites for local businesses in Omaha and the rest of the US. Thanks to our experience and understanding of what local businesses need, we’re able to create websites that drive real results

Read More »

WordPress Requires PHP 7 By Default

For the past year, WordPress has been pushing users and plugin developers to move to PHP7, and it looks like 2017 will be the year they pretty much require it! While they haven’t pushed things into a full requirement, they are leaning pretty heavy on it.  Over the next few weeks, you’ll start to see notices in your WordPress Admin Dashboard recommending you to upgrade to the newer version. If your web host doesn’t support it, you could find yourself in a world of hurt in a future WordPress release.

Read More »