When Bad Things Happen to Good Plugins
Plugins have always provided a point of entry for internet bad guys. Recently, the internet security company Sucuri found a plugin vulnerability that’s much more troubling than most.
Instead of the usual scenario, where a hacker will find a weak point in the code, this guy took over a legitimate plugin. Then he pushed out an update that included a back door. Sites that had been working fine with the plugin for up to three years suddenly found themselves compromised.
The hacker then used the backdoor to steal credentials.
The plugin was Custom Content Type Manager. WordPress has since disassociated the hacker, who calls himself wooranker, from all plugins, cleaned the code, and issued a safe update, version 0.9.8.9. However, if you were one of the unfortunate users who updated to the hacked version, you’ll need to clean your site in addition to updating to the clean version of the plugin.
Sucuri has documented the entire issue here if you’d like to read all the details.
What does this mean for WordPress users?
Sadly, it means more work. But don’t despair, because we’ll help you make it manageable.
First, be aware that, if you want your site to remain secure, vetting a plugin is no longer a one-time event. It’s not enough to do your research before installing a new plugin, you must check a few things before you update it as well.
Recommended core plugins
We recommend a core group of plugins that nearly every WordPress site should be using. We have vetted these carefully, and we maintain a test site where we constantly check to make sure the plugins work together smoothly and securely. You can install these plugins with a high level of confidence:
- SI Captcha Anti-Spam
- Jetpack (specifically, the BruteProtect module)
- Updraft Plus
- Google Analyticator
- Yoast SEO
- WP Super Cache
- Contact Form 7
- SBI! for WP
Other plugins need to be checked out first. Before installing a plugin, evaluate it for:
Follow the guidelines in Evaluating WordPress Plugins for details on how to do this, and you’ll be confident you’re installing good plugins.
When It’s Time To Update…
It used to be, once you’d thoroughly checked and plugin and installed it, that you could update it with confidence. However, in light of recent events we’re recommending a bit of additional research before you upgrade a plugin to a new version. (Note that this is primarily for free, rather than premium, plugins.)
As always, before updating anything, run a complete backup of your WordPress site, and either download it to your computer or to a cloud service. You want a clean backup that is not stored on the server that hosts your site. Also note that, if you have the ability to mirror the site on a staging server, you would ideally make changes on the staging server first, before updating the live site.
- In your WordPress Dashboard, navigate to Updates.
- You’ll see a list of plugins requiring updates.
- Click the “View version x.x details” link to see an overlay with information about the plugin. It will look like this:
- If you made note of the plugin author when you first installed it, check that it’s the same. If it’s different, or if a new author has been added, take the next step.
- Scroll down to see the Contributors. This area lists all the people who’ve been involved in the plugin’s development.
- Are any of the contributors new since you installed the plugin? Click on each contributor in turn. You want to check for several things:
- How long has he been a member? The longer, the better.
- Is contact information clearly posted? That can include email, social media accounts, or a website.
- Click the Plugins link under his picture. Is this his only plugin, or has he developed several. If he has other plugins, how well do they rank?
- Check the ratings. Click on the 1-star rating to see if there are any substantive issues reported very recently. For the Custom Content Type Manager plugin, there’s a flurry of 1-star ratings beginning March 5.
- Last, run a web search. Type the plugin name along with “problems” — here are some Google results when I searched for “Custom Content Type Manager Plugin problems.”
If this all checks out, go ahead and install the upgrade.
Want an easy way to track your plugin details? Download our free Plugin Tracking Worksheet.