Get Email Alerts for Security Vulnerabilities in Your WordPress Plugins

WordPress users have been subject to a rash of plugin vulnerabilities over the past couple of months. Some of these vulnerabilities have been so widespread that the FBI recently warned users of attacks designed to exploit WordPress sites.

Not long after WordPress published its Security White Paper, an outbreak of issues popped up, starting with a blind SQL injection vulnerability in WordPress SEO by Yoast, followed by a security release from the Pods Framework, and a few other plugins containing similar issues.

WordPress.org has not yet created a way to publicly identify the plugins for which its security team is pushing out automatic updates. The process involves coordination with the plugin developer and the core developers who have been allocated to verify and test the vulnerabilities.

Once their automatic update process for mitigating serious vulnerabilities is ironed out, it would be helpful to have a section of WordPress.org dedicated to transparency about which plugins have received these forced automatic updates.

In the meantime, WordPress users need to remain vigilant about staying current with updates. Plugin Vulnerabilities is a plugin that helps users stay on top of security releases. Once installed on your site, it can automatically detect known security vulnerabilities in any of your installed plugins. It will alert you via the admin and you can also turn on email alerts for notification in your inbox.

plugin-vulnerabilities

The plugin was created White Fir Design, a Colorado-based company that specializes in WordPress security and fixing hacked websites. The company also offers a security bug bounty program for WordPress and plugins.

White Fir Design regularly updates the plugin with alerts for new vulnerabilities. The description page gives an overview of the vulnerability stats, as of April 6, 2015:

The top vulnerability types since the creation of the plugin include:

  • Cross-site request forgery (CSRF)/cross-site scripting (XSS): 52 vulnerabilities
  • Reflected cross-site scripting (XSS): 45 vulnerabilities
  • Arbitrary file upload: 45 vulnerabilities
  • Arbitrary file viewing: 23 vulnerabilities
  • SQL injection: 16 vulnerabilities

The plugin has an admin page listing all vulnerabilities relevant to the plugins you have installed, as well as those that have vulnerabilities in other versions. There will be times when a vulnerability is reported before any update is available, in which case you might want to deactivate and remove the plugin in question.

plugin-vulnerabilities-list

Updating software for security issues is a natural part of life on the web. With the popularity of WordPress at an all-time high, the discovery of vulnerabilities in core and third party extensions is only going to increase. If you feel overwhelmed by keeping up with security updates, the Plugin Vulnerabilities plugin can help you be more responsive to potential threats.

18 Comments


  1. Good intentions, and it provides valuable functionality. But ultimately it isn’t going to put a dent in the issue. It’s still a plugin that you need to install and activate and the vast majority of WordPress users simply aren’t going to do so. Not only that, but they will have never even known about it.

    An issue this large and widespread needs to be addressed within the project itself. At it’s very core.

    Nagging people to update is also not the answer. Neither is education because you’re not going to reach everyone that needs to be reached.

    One solution that will help is more widespread use of background automatic updates.

    That is not a popular idea in some circles of the WordPress development community but i’ve yet to hear anyone that knows of viable solutions to this problem that would have a greater impact or even any real impact at all.

    Those developers seem to forget that if it’s not for them they can simply disable it. Because… hooks and filters are cool like that.

    I’m beating a dead horse here as i’ve already expressed this opinion numerous times. But issues related to widespread exploitation of vulnerable out of date WordPress installs is not going to go away and will only get worse as WordPress continues to grow in marketshare.

    Report


    1. Yeah, this. Auto-upgrades and/or security notifications in core.

      Security problem with Windows? You get a notification (or auto-upgrade).

      Secure problem with Mac? Auto-upgrade (or notification).

      That’s how they do it, and it works.

      Report


      1. It needs to be dead obvious that auto-upgrades are a thing, really easy for USERS to manage whether auto-upgrades are available for a particular plugin.

        That will solve the “omg, wtf, my site is broken and I didn’t touch it” problem.

        Report


      2. Louis Reingold,

        Auto-upgrades are bad in my opinion. You always risk when you update a plugin/theme/core of breaking your site.

        Also, when the auto-upgrades occur. What if it’s middle of day? It could be 2am in your timezone, but it is always 9am-5pm somewhere thus the site going on maintenance mode while the upgrading occurs can be bad for business.

        Report


      3. If your site has a security vulnerability, I’d say it’s already broken.

        Personally, I’d rather have my sites go down completely because of a botched update than have a vulnerability sitting there waiting to be exploited. The risk of the former is losing traffic and a minor hit to my reputation; the risk of the latter is having all my data destroyed, infecting my visitors with malware, being used to send spam, theft of sensitive information (mine and my visitors), a big hit to my reputation, etc.

        In reality, though, that’s not even an issue, because the Core security team is extremely careful about how they push automatic updates for plugins.

        If you’re running a mission-critical site, then you can always disable automatic updates and apply them manually, but that’s not the type of person the feature is aimed at. Anyone who would incur significant losses by their site being down should have resources dedicated to security. Automatic updates are for the 99% of site owners who don’t have those kinds of resources.

        Report


      4. I follow @wptavern, over 50 members of the WordPress community, many WordPress theme/plugin authors and the WordPress account. I will get at least 15 tweets within 15 minutes of the update being mentioned.

        Automatic updates for me just seems lazy adminstrating. I keep up to date on all my WP installations and other non-wp things I run in my sites.

        There is also the privacy issue many people have.

        No matter what security you have, things can break. I view my login logs every day. One site I have someone try to use admin and random password attemps almost on a daily basis. It is a cat pics site, nothing else. no e-commerce or anything people can register.

        Report


      5. It’s great that you’re so proactive about keeping your sites secure, but you’re in a very tiny minority. If you’re comfortable with that level of responsibility and are dedicated to doing it, then more power to you, but the vast majority of site admins will never do anything close to that.

        We can dismiss them as being irresponsible, but that doesn’t fix the problem. Hacked sites aren’t just bad for the person being hacked, they’re bad for everyone. They hurt WordPress’ reputation because the bottom-feeders in the tech media seize upon every opportunity to blast a “New WordPress vulnerability puts millions at risk” headline, and they’re used to manipulate search engine rankings and distribute spam and malware, which affects everyone.

        We need a way to patch security vulnerabilities in plugins without “lazy” admins having to be aware of the problem, understand it, and take action (because those things will never happen). Automatically pushing security updates for plugins solves that problem.

        If you have privacy concerns, no problem, just disable them and install the updates yourself. No one is being forced to use them, they’re just a feature that’s enabled by default.

        Report


      6. We aren’t normal WordPress users. We’re the extreme minority.

        While you may follow the developers of the plugins you use on your sites and update within minutes of a release announcement, that isn’t the norm. The vast majority of users simply don’t do this. They neglect their sites. They don’t update plugins. They don’t update themes. They rarely update WordPress itself, outside of the background automatic updates in core which does not include major releases.

        The average user sets up a WordPress site, installs the plugins he or she wants to use and then let’s it sit. For months. Sometimes longer. Because WordPress is so widely used for non-blog sites they may even rarely login to the WordPress Dashboard. The end result is the site simply does not get updated.

        We even regularly see more savvy users who neglect updates. It’s not just limited to the non-technical.

        I would rather have a users site encounter an issue with a background automatic update that can be corrected without much work than having user sites compromised and a vulnerability exploited because they didn’t keep things updated. I think just about any user would agree that a hiccup with a background automatic update would be far better than having the site completely exploited.

        If you use good plugins the update issue shouldn’t be a big deal. Can hiccups occur? Certainly. Even with good plugins. But would it be a regular occurrence? Certainly not. I never encounter issues when using automatic update in WordPress to update plugins on my sites. Background automatic update uses the same process.

        Will there be plugin developers that can’t release updates reliably? Absolutely. But with background automatic updates if a plugin developer regularly releases updates that cause issues with user sites the end result is going to be users will quit using their plugins. The ratings and reviews for the plugin will plummet. WordPress.org could even implement a policy surrounding background automatic updates to pull problematic plugins that regularly cause issues when updated.

        The end result would be a net positive for the WordPress community: bad plugins would be weeded out.

        We as developers need to remember that we aren’t the average WordPress user and we are the extreme minority. We tend to forget this. We need to be implementing features and functionality that make WordPress better for end users. This includes making maintaining a site practically hands off for those users who simply want a web site that works without having to think about it.

        Report


    2. I like the idea behind this plugin, but unfortunately the way they implemented it kind of defeats the purpose. They bundle their vulnerability database with the plugin, rather than periodically querying a remote API for real-time data and then caching the result.

      That means that in order for the plugin to know about newly discovered vulnerabilities, you have to first install an updates for it. If you’re the type of person that immediately installs all available plugin updates, then this doesn’t really offer much benefit to you, since you’d have already installed the fixed version of the vulnerable plugin.

      If you’re not that type of person, then this plugin won’t know about new vulnerabilities and can’t inform you about them.

      The one exception to that is if a vulnerability is known, but not patched yet. It would be useful in that situation, but only if you updated the plugin so it could learn about the new vulnerability.

      Report


    3. Yes. The people who install this plugin are already security-conscious, and pro-active: which means they’re not the majority who have/are the problem.

      I think that at least two things are needed:
      1) plugin authors should be allowed to push automatic updates. This might be abused – but so can the facility to make available manual updates. If you don’t trust the authors of plugins on your site, then you’re wrong to use those plugins.
      Allowing plugin authors to make the decision is better than either a) automatic updates for all plugins (lots of sites will break whilst you sleep, which to many site owners is all the same thing as being hacked – except that this time from their perspective WordPress hacked itself!) or b) the wordpress.org team making the decision – they can’t scale to doing this on tens of thousands of plugins.

      2) a header needs adding to plugin readmes to indicate insecure versions, and the wordpress.org plugins API needs to include this information… and WordPress core needs patching to handle it. Users should be shown warnings in their dashboards. Currently, there’s no visual clues as to what plugins have updates that are shiny new features, bugs, translations changes… and which are security critical.

      Report


      1. Alerts in the dashboard would be a good measure. I agree, automatic updates are not a good plan. Than in itself as you noted can result in much ugliness.

        I think in the Dashboard WP might think about considering a “Urgent News” type modal so even if a WP webmaster is not using a plugin lets say that has a breach they can start getting informed about such matters and how to best prevent malicious practices.

        Perhaps even a sort of push backend so as matters of concern happen or even good instruction becomes available WP can leverage that.

        Sort of a tutorial push to the backend.

        The same problems exist for just plain ole’ PC users. I cannot begin to tell you how many times I have removed security software from others PC’s like Norton, McAfee etc. and stuck Comodo Internet Security on their systems or installed it on peoples laptops where pretty much nothing was there.

        Comodo is wonderful if you have never tried it.

        Report


      2. Dashboard notifications are useless. The issue is a very large number of users simply never use the Dashboard. These aren’t bloggers. These are people who setup a WordPress site and then just expect it to work. The type of people that these issues typically impact will not be reached effectively by nagging them in the WordPress Dashboard.

        I keep seeing tech savvy users and developers point out that sites will break because a bad plugin update will cause issues. They certainly will. But longterm the plugin developers who can’t get things together and release reliable updates will be weeded out and their plugins will be discarded by users and possibly even removed from the WordPress.org repository if it’s a pattern.

        What would you rather have happen…

        – Your site encounters an issue with a background automatic update and you may or may not catch it quickly. But ultimately the issue is easily resolved (ex. PHP memory issue, another update released, etc.) and once resolved the site is back up and chugging along.

        – Your site is completely exploited by a vulnerable plugin that you didn’t keep updated and is completely wrecked. You’ll have to spend hours, possibly days, working on it to fix the issue. You may not even realize there is an issue for months and months. Because you aren’t tech savvy you probably won’t even be able to fix it by yourself and have to scrap the web site entirely or hire a developer or security company to clean it up for you.

        I know which one i’d rather happen. It’s the lesser of the two evils. By far.

        Report


      3. If automatic or “atomic” updates could be made completely or near secure I may agree.

        Windows is not a simple mechanism of updates. Many commercial applications like Adobe stuff code their own mechanisms.

        Windows does an entire audit of several areas of a system before pushing updates. Its taken them years and years to get it right.

        WP certainly wouldnt need something as advanced. But the problem here is Open Source. Since the mechanism by which updates are performed will be a known quantity and it is possible right now in fact to capture an “update in progress” (for example a listener application) the task becomes far more difficult than the simplicity it conceptually appears to be as is the case in much software engineering.

        See… Being a programmer isnt hard as I said in another thread. I can teach anyone, I’ve taught 12 year olds. In comparison to marketing its simon simple.

        But taking a problem or task and writing code to DO that task, that can be easy or very difficult. We all recognize say a STOP sign when driving. For a computer to visually recognize a stop sign is a TON of work.

        Thats why I call them “Dumbputers” as really, they are quite stupid. An ant is infinitely more intelligent than a computer.

        The best protection is informing people of problems within their website and if need be make it VERY in their face so they respond to it.

        If Webmasters only use WP from the frontend (I dont see how they could NEVER enter the backend) then when the Admin account logs in they get a big official WP notification telling them “You have a security problem” as well as at the email address of the Admin.

        I have not in any way shape or form looked at the codebase of how WP currently does its updating so I cannot say if IMHO its satisfactory or not, again, in my opinion. I simply do not know.

        Whilst I am not new to WP having built some sites I am new to the coding thereof. Much more experienced with Joomla which we are doing everything we can to transition away from as well.

        Report


  2. Penetration testing is the only way to avoid security breaches when you have many hands in on whatever the sites complete codebase is. If you have plugins from many developers then you open the doors to security matters. I explained an experience of ours with Joomla and a particular State level political campaign. We were overnight threatened with a 2 million dollar lawsuit and due to an inadequate disclaimer drawn up by an attorney it would have stuck. Standard form if limited liability disclaimer. However, we failed to mention and have them sign off on the external components/modules used on the site NOT coded by us. That makes the disclaimer null and void if it were to go in front of a judge here in the USA.

    There are many free penetration testing out there and many paid ones. We use Fortify by HP and got a real break on it as Xerox corp and HP are “tight”. In fact, it came about due to that breach. Xerox ran the penetration testing against the defaced site. They found several security holes.

    The simplest “quickie” fix is probably anyone who downloads a plugin has to insert an email address thats valid, in the responder email have a link that validates. The email address is then saved by the repository. If a security issue crops up then all who downloaded the plugin can get an email about the specific vulnerability. At least reach more people that way.

    Report


  3. If you are hosting with NameCheap, this plugin will get blocked

    Subject: Attention: Malicious Attempt to Access Your Hosting Account

    Dear Hosting Account ‘xxxxxx’ Owner,

    This is an automated alert to inform you that we have detected a malicious attempt to access your account via http or ftp on our server ‘xxxxxxxxxxxxxx’.
    Our security systems have blocked the upload of malicious file to the server and put it to the quarantine. Your website is safe now, but it is important
    you undertake the following precautions.

    1. Immediately scan your PC for viruses and malware. We recommend the anti-virus programs which free editions are available
    for most operating systems for this purpose.

    2. Make sure that you use strong, hard-to-guess passwords on your account and applications. Do not use the same password for
    different applications. To remember more difficult passwords, we recommend you use the password managers such as LastPass or RoboForm.

    3. Update all third party scripts to the latest versions (e.g. Joomla, WordPress, Magentoo or any other CMS). Remove every script, gadget,
    feature, function, and code snippet which has poor security vulnerability report.

    4. Enable CloudFlare in cPanel. It is designed to provide protection from many forms of malicious activity.

    5. Use .htaccess or cPanel > Deny IP to block the hacker’s HTTP access to your site. If you identified the hacker’s IP address, one site where you
    can look it up to get more information about this IP is http://whois.domaintools.com/ .

    6. Change your cPanel/ftp passwords.

    We have put the following content into quarantine as we believe it contains viruses or other malicious code. If you feel this has been in error and
    your file is false-positive (innocent), please submit a ticket to us at https://support.namecheap.com/index.php?/Tickets/Submit or contact
    the Live Help at http://www.namecheap.com/support/livesupport.aspx and we will be happy to assist:

    ‘[Hacker Signature Exploit [P0818]]’: /home/xxxxxx/public_html/wp-content/plugins/plugin-vulnerabilities/vulnerabilities/c.php
    ‘[Hacker Signature Exploit [P0818]]’: /home/xxxxxx/public_html/wp-content/plugins/plugin-vulnerabilities/vulnerabilities/w.php


    Regards,
    NameCheap Hosting Team

    the xxxxx being things I blocked due to being things I don’t want to show.

    I sent an e-mail to WP, I got back a message saying it is false flagging (or something like that).

    Report


  4. Nothing against this plugin and I’m not here to debate of reasons for Automatic Updates etc..
    I’d like to remind whoever is interested, that Wordfence Security Plugin already notifies the Admin email of such out of date plugins? (with the added bonus of the other features)

    Report

Comments are closed.