WordPress Plugin Updates – A Security Hole
So you’ve chosen a host that takes security seriously, you have automatic WordPress updates installed, you’re running on PHP 7, you have .htaccess protection, you’ve secured your folder permissions, you’ve disabled the admin user and a whole host of other things to secure your website. But when you login to your WP dashboard you see 10 outstanding WordPress plugin updates. This is a huge security hole. You simply must auto update WordPress plugins!
Outdated plugins are the major source of WordPress hacks and exploits. According to WPScan Vulnerability Database there are over 1500 vulnerabilities in WordPress plugins. In fact Plugin vulnerabilities account for over have the listed vulnerabilities compared to 34% attributed to WordPress core and 14% of the listed vulnerabilities come from WordPress themes.
If you use a well-maintained plugin it is likely the developer is continually patching their plugin code. But if you wait 2 weeks to update plugins you are at risk from being compromised. As server administrators we see hacks from plugins all the time.
Auto Update WordPress Plugins – with a plugin….
If you haven’t logged into your WordPress dashboard for a while you are sure to see a whole bunch of plugins that require updates. Let’s face it, if you have a lot of plugins this update maintenance quickly becomes a chore. It is also completely unnecessary because the ability to auto update WordPress plugins (and themes) is built into WordPress core (since WordPress 3.7). It requires a code edit which is why it is not universally used. You can just add this code to your theme’s functions.php:
add_filter( 'auto_update_plugin', '__return_true' );
The average user is not going to bother with that though. However, there are a number of plugins that will auto update WordPress plugins for you. And with my favorite plugin you can even select which plugins to auto update (or rather you just disable the auto updates for selected plugins). It is called Automatic Plugin Updates and appears to be well-maintained. Once installed and activated navigate to Settings > Automatic Plugin Updates and disable updates for any plugins you don’t wish to automatically update.
At the bottom of the Settings page you can also enable/disable email notifications for when updates have occurred.
But wait, you are not done yet.
You are now safe from any exploits found in the code of a well-maintained plugin. What about those plugins you installed 3 years ago and were then abandoned? If the code in those plugins become vulnerable no-one is coming to the rescue. You might not even know a plugin has been abandoned until you get hacked.
I mentioned WPScan Vulnerability Database earlier. This website tracks the majority of vulnerabilities and exploits found in WordPress core, plugins and themes. They also provide an API and there a number of plugins you can install that use this API and scan your plugins as well as core itself and installed themes. The one I use is Plugin Security Scanner and is well-maintained.
This is a simple but powerful plugin. It scans your WordPress once a day and emails you if it detects any vulnerabilities listed in WPScan. It scans WordPress core, themes and plugins. Now you are protected against hacks from old plugins.
If you take WordPress security seriously hope you’ll consider adding these tools to your WordPress security arsenal.