Website security plugins exploited
We don’t believe in them, but that’s our opinion. You’re free to have your own opinion.
The purpose of this post is to drive home 3 main points:
- There is no “set it and forget it” website security strategy
- There is no substitute for updating – daily
- Sometimes the function of website security is also the point of entry
During the month of September 2014, three main WordPress security plugins had some major vulnerabilities.
First (I believe) was WordFence. This plugin provides many security features for a WordPress site:
- Two-factor authentication
- File Integrity Montioring
- Blocks ranges of IP addresses
- Scans for over 44,000 different forms of malware
- and many other features
As of 9-29-2014, according to the WordPress Plugin repository, there were 3,223,158 downloads. This plugin receives some very high ratings as well.
In early September it was disclosed that this plugin suffered from some vulnerabilities.
Next, came the vulnerabilities of the All In One WP Security & Firewall plugin. This plugin:
- Helps you change the admin username
- Protects against brute-force attacks
- Block ranges of IP addresses
- Adds CAPTCHA to login forms
- Automates backups
- and other features
As of October 11, 2014 this plugin shows 475,663 downloads and again is very highly rated.
September of 2014 closed out with vulnerabilities in the BulletProof Security plugin. Some of the features of this plugin are:
- htaccess Website Security Protection (Firewalls)
- Login Security & Monitoring
- Security Logging
- HTTP Error Logging
- and other features
As of October 7, 2014 this plugin has been downloaded 1,290,979 times.
For all 3 that’s potentially almost 5 million vulnerable websites. It’s actually less than that because quite often we remove malware from WordPress sites with all three plugins installed. I’m sure they’re not all properly configured, but they are installed.
You see, quite often people are looking for “plug and play” security. We know it doesn’t quite work that way. It sounds cliche but security is a journey, not a destination. You don’t someday do this and this and that and then you’re secure – forever.
If there was a website security strategy that was “set it and forget it” then there wouldn’t be any need for our industry (website security). Someone would have published a YouTube video or a downloadable PDF report detailing the steps involved in this apply once and never worry again strategy.
Instead, website security is more like, “lather, rinse, repeat”, only the lather is applying new layers of shampoo. In this case, updating WordPress and your plugins is the shampoo. It must be done consistently. I’m sure you don’t wash your hair once and then you’re good for life, right?
Website security strategy is the same way. What’s safe today, could be vulnerable tomorrow. You can’t rest on what you’ve done today.
While you’re scouring the Internet or the WordPress Plugin repository for that “one” magic plugin that will end all your website security worries, just remember, it too has to be updated. There is no substitute for good, sound security principals.
This isn’t the website security blame game
You’ll notice I didn’t elaborate on the specific vulnerabilities of these plugins. That doesn’t really matter. What matters is that each of these had updates very soon after learning of the vulnerabilities. They did what they’re responsible for.
Or as some of our customers say, “they did the needful”. After that, it’s your responsibility to apply their updates.
I’ve said it before, hackers only need one way in. You need to keep every potential point of entry secured. Your website security is only as strong as your weakest link. Don’t forget that.
If you have any opinions about this post, please post a comment. If you feel this is something to be shared, please do.