WordPress vulnerabilities and the importance of keeping your site updated

WordPress is expected to release an update on the 18th of August. Why is that important to you?

The newest update is said to focus mainly on stronger password protection, a more powerful admin UI, and a better experience for mobile users. It also addresses the latest vulnerabilities that have been discovered to the platform, and make it harder for users to harm or misuse your site, whether on purpose or by accident.

There are quite a few very popular WordPress plugins that have recently been found to make systems on which they are installed vulnerable – or potentially vulnerable – to hackers, malware and all the evil that lurks out there on the net. Most of these vulnerabilities are actually pretty minor. Most are actually non-issues, but a few are serious security flaws which need to be fixed.

The good news is that the next update will eliminate quite a few of these problems, but what should you know about the threats until 18 August?

So, what is currently vulnerable?

There are quite a few vulnerabilities, but you can see whether any of the plugins you have installed host vulnerabilities with, wait for it… another plug-in. This is only one of many security plugins available and not one I specifically endorse.

Just to give you an example, there is a known vulnerability present in a popular plug-in called Twenty Fifteen. The problem is in one component of the plug-in called genericons. I use this example because WordPress currently installs Twenty Fifteen by default, so many of you do actually have this plug-in, and this vulnerability.

Genericons contains a cross site scripting (XSS) flaw which can form an avenue for malicious code to be sent directly to a user’s browser, bypassing the firewall at the server. Of course, the user would still have to click on a link that was set up with the intention of exploiting this vulnerability. But none of you have ever clicked a dodgy link just to see what would happen, have you?

How authentication affects vulnerability

A few types of attack can be made by an unauthenticated user – someone who is not logged in and is almost certainly accessing your server remotely. These are often the really bad ‘hacks’ where your business or personal data can be stolen, and your site itself can be infected by software that will hijack it to distribute malware or spam. Vulnerabilities that make it possible for an unauthenticated user to harm your site are really big deals, and are generally the highest priority to be fixed when it comes to releasing an update.

If a vulnerability only makes an attack possible for an authenticated user, there is generally less cause for alarm. Still, many websites have a great deal of authenticated low-level users, and not all of them practice good data security. A user with a stolen password could still cause a lot of trouble. These issues are seen as less of a priority than unauthenticated attacks, but they still get fixed in good order.

Last, there are vulnerabilities that can only be abused by high-level users, like site owners, administrators, blog editors, etc. These are often seen as less of a security priority because these users are already trusted to make big, important changes to the site, and to access much of its data. To use an analogy, your night security guard has a ring of keys that can open every door in the building so he can make his rounds. You discover that, by accident, one of his keys also opens the cabinet that holds the printer paper. Is it a security flaw? Yes. Is it something that needs to be fixed? Maybe. If there is time. It’s not a big deal for most people.

But what can I do?

Most of the time, it will be enough to make sure your website is using the latest version of WordPress, and the most up-to-date versions of all of your plugins. If you have a WordPress maintenance package, this will be done automatically. If not, you’d best do it manually or sign up.

Newsletter Signup

Timothy Oxendale
I’m a freelance web designer & developer and I work with great individuals, small-to-medium sized businesses and start-ups. I aim to have a great relationship with all my clients where I can add value to their business by being dependable, honest and by doing the type of work that makes a difference.

Leave a Reply

Your e-mail address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

tim oxendale View All Blog Posts

Related posts

Everything You Need to Know About Site Security for Your WordPress Website

Even massive companies with lots of security funding can suffer from breaches. For example, as many as 50 million Facebook users have had their security compromised. Do you know the right ways to invest in site security for your company? It’s often tempting to think that you’re immune to attacks. However, big brands aren’t the  … Read more

5 Ways to Increase Your WooCommerce Security

Starting an online business is exciting, to say the least. However, it is also a challenge because you have to engage in marketing, add new products and deal with customers on a regular basis. It can get overwhelming. One area that you cannot afford to let slide while taking care of your business is security.  … Read more

How to Reduce Your Website Page Weight

In 2018, Google announced that it is including loading times for all sites, including mobile sites, as part of their online search rankings. Page weight is basically internet gravity that slows load time. Several forces affect your website’s performance and user experience. The way to lessen the drag is to reduce pageweight or reduce page  … Read more

Newsletter Signup