Are Your Plugins the Weakest Link?
Plugins and extensions are powerful tools that let you extend your applications to do almost anything you can imagine. From automatically backing up your content to connecting with various social networks, using a plugin or extension can benefit your site.
While plugins and extensions provide useful features, it’s important to keep your website’s security in mind if you consider using these tools. A single security vulnerability in a plugin or extension can lead to the compromise of a fully patched application.
For example, last month WordPress® developers discovered a backdoor malicious users inserted in updates to the AddThis, WPtouch, and W3 Total Cache plugins. The backdoors granted unauthorized access to blogs with these plugins installed. WordPress developers cleaned and re-released the plugins, but they urged users to review their site content and update because anyone using the those versions could have a compromised website.
So, how can you get the benefit of plugins while not making your site vulnerable to security threats? We recommend the following:
- Make sure all your plugins and extensions are up to date. (And keep them up to date.)
- If you don’t use a plugin or extension, delete it. Simply disabling a plugin/extension is not always an effective way to prevent vulnerabilities from being exploited.
- If a plugin or extension requires write access to files or directories, review the code to make sure it is not doing anything malicious.
- Where possible, avoid plugins or extensions that let visitors execute code.
- If you don’t know what a plugin/extension does, don’t use it.
To learn more information about vulnerabilities in extensions and plugins, visit the National Vulnerability Database at http://nvd.nist.gov/.
Comments are closed.
0 min expected wait time
