Say a total stranger walks up to you and offers you a delicious looking lollipop.
Do you grab it and stuff it in your mouth?
Most people know better than to accept stuff from strangers. But when it comes to the internet, our sense of self-preservation often flies out the window. We don’t think twice when complete strangers walk up to us in the digital world, show us a shiny new plugin and ask us to install it on WordPress. Yet, vulnerable plugins account for more than 30% of all hacked WordPress sites.
Today, you’ll learn how to check WordPress plugin vulnerabilities that might compromise your site – and what to do if you’ve installed a vulnerable plugin unwittingly.
It’s not only WordPress site owners who are too trusting of online strangers. Tons of people fork over their passwords, personal information and other sensitive data to complete strangers online without a second thought. Even the most prominent people are tricked into revealing their personal information online. Not long ago, a UK hacker tricked White House officials into revealing sensitive information. The fact that the affected White House staff were part of the U.S cybersecurity task force shows that it’s easy to be too trusting. You need to be proactive here.
So, let’s get to it then. How do you check for vulnerabilities in WordPress plugins? Well, before you start checking, you’ll need to know what a vulnerability is, and what it’s not.
What’s a WordPress Vulnerability?
A vulnerability is a weakness. In computer speak, it is a weakness in a piece of computer software, one that’s capable of being exploited. A nefarious person can use it to gain unauthorized access to a computer system. If you install a WordPress plugin with a vulnerability, attackers can use the vulnerability to access your dashboard, dump data from your mailing list, and, if you run an e-commerce store, grab as much of your customers data as they can.
Installing a vulnerable WordPress plugin sounds pretty serious, doesn’t it?
It’s like willingly ingesting a parasite. Only this particular parasite comes equipped with network communication capabilities. And it uses those abilities to invite other parasites to pilfer your WordPress site.
How to Check WordPress for Plugin Vulnerabilities
Fortifying your WordPress installation requires you to stop every attempt a hacker makes to get a foothold. Since the WordPress core is one of the most secure in the Content Management System ecosystem you only have stop and do some checking before you install that next plugin. So, how do you do that?
1. Check Whether the Plugin is Listed teOnline Vulnerability Databases
Before installing a plugin on a WordPress site, the first thing you want to do is check relevant vulnerability databases. The WPScan Vulnerability Database, the National Vulnerability Database and Exploit-DB are good places to start.
Go to these websites, type in the name of the plugin, click search, and you’ll get a list of vulnerabilities like below:
Exploit Database shows WordPress Plugin Contact Form Builder version 1.0.67 has cross-site request forgery and local file inclusion vulnerabilities. These are two of the most severe vulnerabilities according to the Open Web Application Security Project (OWASP).
If your plugin shows up on these databases, check its homepage to see if the developers updated or patched the vulnerability. Then, if they have, make sure you download the updated version of the plugin before installing it on your WordPress website. If they haven’t, deactivate the plugin immediately if it’s already installed.
2. Scan Installed Plugins for Vulnerabilities
Software security scanners work pretty much like the scanners you find in airports. If they detect something off with a plugin, they notify you. They use an existing database of all known vulnerabilities to check your site code for these scripts.
There are lots of WordPress security scanners but perhaps the most popular scanner is the WPScan plugin.
WPScan isn’t your typical WordPress plugin. When you install it, WPScan starts by checking if other plugins on the site are vulnerable to known attacks. It also checks whether users on the site have weak passwords, whether the passwords can be brute forced, and other miscellaneous items such as your WP directories, themes, custom directories, and configuration settings. It does all of these without needing extended permissions. That means even if a hacker somehow infiltrates your WPScan installation, there’s nothing he or she can do because it’s almost impossible to escalate from WPScan to full-site exploitation.
3. Don’t Install Discontinued or Cracked Plugins
Never download nulled/discontinued plugins or cracked versions of premium plugins.
Cracked versions of premium plugins have their code modified to remove the authors’ licensing requirements without paying. It’s not too far-fetched to think that the hacker making the modification added something extra to allow them access to any WordPress site using the cracked plugin.
Use a tool like RIPS to check if the plugin files you just downloaded are part of a cracked version of the plugin. If it finds similar files, then the plugin most likely has security issues.
4. Always Download Plugins from Reputable Sites
This is more of a precaution than a countermeasure, but it’s your best chance at avoiding vulnerable WordPress plugins. Go to the official WordPress repository every time you want to download a plugin. The team behind this site vet every plugin before it’s released to the public. Downloading a vulnerable WP plugin from the official repository is exceedingly unlikely.
Here’s a search for a Contact Form Builder plugin.
See the Details, Review, Installation, Support, and Development tabs right under the name of the developers? You’ll want to check out each tab. That should tell you if other users had problems with the plugin and whether it’s prone to malicious attacks.
By following these simple steps, you’ll never have to worry about installing vulnerable plugins. You don’t have to be scared of strangers gaining access to your website data, and selling it to who knows where on the dark web.
Moving forward, if you’ve just discovered that one of your plugins is vulnerable, disabling it and removing it from your site is the first step, but if your site is already infected, that might not solve the problem. The plugin may have already allowed numerous malware onto your site. Reach out to us and we’ll work to undo any damage caused by a rogue plugin or website malware!