STUDY: Top WordPress Plugins Vulnerable to Attack
If you've had the opportunity to read any of our articles discussing Open Source vs. Enterprise content management, it's pretty clear which side we're on. One of the main reasons we advise non-web designers and developers not to choose Open Source technology is that it is susceptible to security vulnerabilities and often takes time to repair.
A new study from security vendor, Checkmarx, supports these claims with the finding that "roughly 20 percent of the 50 most popular plug-ins for the WordPress platform are vulnerable to common Web attacks." This means that nearly 8 million downloads of plug-ins are vulnerable to issues such as SQL injection, cross-site scripting, cross-site request forgery, and path traversal. Additionally, the report concluded that seven out of the top 10 most popular e-commerce plug-ins for WordPress are vulnerable to attacks as well.
Why is this such a problem?
Too many people assume that because a vulnerability has been found, that it will be fixed. Due to the nature of Open Source technology, developers are not required to maintain the plug-ins or applications that they've developed, and if they do provide updates, there's no set schedule. It's very possible that the creator of your favorite WordPress tool has to study for midterms or work another job during the days. This is also evidenced in the study.
Checkmarx conducted two scans, six months apart.The first scan occurred in January 2013, and it revealed that 18 of the top 50 most popular plug-ins had vulnerabilities. A second scan conducted in June 2013 showed the number had been cut to 12. In half a year, only 6 (or 1/3) of known issues had been resolved.
Another consideration to take into account is in the event that an updated version of a plug-in or application has been provided, it's still up to you to upgrade to the latest version. While that may not sounds like much, its something that may prove to be rather difficult for the average person, and may be considered a billable service by some developers and designers.
How can you protect your site?
The obvious answer is to switch to a CMS or web service provider that will maintain your website (using a proprietary system) and proactively provide upgrades or fixes to your code. However, if you're married to WordPress, Checkmarx advises website administrators to "only download plug-ins from reputable source - in this case, WordPress.org." Additionally, the security of plug-ins should always be assessed by scanning it for security issues, and old or unused plug-ins should be removed.