Does that mean we can’t trust WordPress plugins? I’d advocate an approach of trust, but verify — and of making sure you keep yourself apprised of the potential risk.
Earlier this month, Wordfence reported that zero-day vulnerabilities in three popular plugins were being exploited to inject SEO spam into WordPress pages. The Display Widgets plugin was sold to a developer who added a backdoor that was also used to inject SEO spam.
Anyone who had installed these plugins from the official repository would have had their site infected. Attacks of this sort are known as supply-chain attacks. Rather than trying to compromise hundreds of thousands of sites, the attackers focus on software they know is installed on those sites. It’s easier to buy a plugin or compromise a download server than it is to attack the sites directly.
It’s worth emphasizing that this is a rare occurrence. Although a cluster of malicious plugins has been discovered in the last few weeks, it’s a problem that only affects a handful of the tens of thousands of free plugins available to WordPress users.
The WordPress Plugin Repository team has a challenging set of responsibilities: there are over 50,000 free WordPress plugins and it is next to impossible to monitor every one for malicious code. In spite of those obstacles, they do a fantastic job. Malicious plugins are quickly removed from the repository when vulnerabilities are discovered. Given the popularity of WordPress, it’s a testament to the team that this doesn’t happen more often.
But that’s not especially comforting to site owners whose WordPress sites start spewing spam. The sad truth is that any popular project will be targeted by criminals. There is always a risk and anyone running a website has to be aware of that risk.
What can site owners do to keep their sites safe? Regular updating is still the best protection against security risks. Without updates, nothing gets fixed. Beyond that, keep an eye on WordPress blogs that report on plugin security vulnerabilities. Among the best are:
Additionally, a Web Application Firewall (WAF) like those provided by the WordFence Security Plugin and the Sucuri Security Plugin can mitigate the risk even when a vulnerable plugin is installed.
The WordPress team is discussing solutions that integrate security warnings into the WordPress dashboard. There is currently no way to inform site owners when a plugin is removed from the repository for security reasons. Until that initiative yields a useful solution, WordPress site owners might want to take a look at Plugin Security Scanner, a plugin that scans for vulnerable plugins and emails the site owner.