The thing I enjoy the most about being an online business owner is this: Nobody can take away what I have built with SBI! - John Shank, SBI! member since 2003

When Bad Things Happen to Good Plugins

bad-things-happen-to-good-plugins

Plugins have always provided a point of entry for internet bad guys. Recently, the internet security company Sucuri found a plugin vulnerability that’s much more troubling than most.

Instead of the usual scenario, where a hacker will find a weak point in the code, this guy took over a legitimate plugin. Then he pushed out an update that included a back door. Sites that had been working fine with the plugin for up to three years suddenly found themselves compromised.

The hacker then used the backdoor to steal credentials.

The plugin was Custom Content Type Manager. WordPress has since disassociated the hacker, who calls himself wooranker, from all plugins, cleaned the code, and issued a safe update, version 0.9.8.9. However, if you were one of the unfortunate users who updated to the hacked version, you’ll need to clean your site in addition to updating to the clean version of the plugin.

Sucuri has documented the entire issue here if you’d like to read all the details.

What does this mean for WordPress users?

Sadly, it means more work. But don’t despair, because we’ll help you make it manageable.

First, be aware that, if you want your site to remain secure, vetting a plugin is no longer a one-time event. It’s not enough to do your research before installing a new plugin, you must check a few things before you update it as well.

Recommended core plugins

We recommend a core group of plugins that nearly every WordPress site should be using. We have vetted these carefully, and we maintain a test site where we constantly check to make sure the plugins work together smoothly and securely. You can install these plugins with a high level of confidence:

  • SI Captcha Anti-Spam
  • Jetpack (specifically, the BruteProtect module)
  • Updraft Plus
  • Google Analyticator
  • Yoast SEO
  • WP Super Cache
  • Contact Form 7
  • SBI! for WP

Other plugins need to be checked out first. Before installing a plugin, evaluate it for:

  • Stability
  • Reliability
  • Reputation

Follow the guidelines in Evaluating WordPress Plugins for details on how to do this, and you’ll be confident you’re installing good plugins.

When It’s Time To Update…

It used to be, once you’d thoroughly checked and plugin and installed it, that you could update it with confidence. However, in light of recent events we’re recommending a bit of additional research before you upgrade a plugin to a new version. (Note that this is primarily for free, rather than premium, plugins.)

As always, before updating anything, run a complete backup of your WordPress site, and either download it to your computer or to a cloud service. You want a clean backup that is not stored on the server that hosts your site. Also note that, if you have the ability to mirror the site on a staging server, you would ideally make changes on the staging server first, before updating the live site.

  1. In your WordPress Dashboard, navigate to Updates.image03
  2. You’ll see a list of plugins requiring updates.image02
  3. Click the “View version x.x details” link to see an overlay with information about the plugin. It will look like this:image04
  4. If you made note of the plugin author when you first installed it, check that it’s the same. If it’s different, or if a new author has been added, take the next step.
  5. Scroll down to see the Contributors. This area lists all the people who’ve been involved in the plugin’s development.image06
  6. Are any of the contributors new since you installed the plugin? Click on each contributor in turn. You want to check for several things:
    • How long has he been a member? The longer, the better.
    • Is contact information clearly posted? That can include email, social media accounts, or a website.
    • Click the Plugins link under his picture. Is this his only plugin, or has he developed several. If he has other plugins, how well do they rank?image00
  7. Check the ratings. Click on the 1-star rating to see if there are any substantive issues reported very recently. For the Custom Content Type Manager plugin, there’s a flurry of 1-star ratings beginning March 5.image05
  8. Last, run a web search. Type the plugin name along with “problems” — here are some Google results when I searched for “Custom Content Type Manager Plugin problems.”image01

If this all checks out, go ahead and install the upgrade.

Want an easy way to track your plugin details? Download our free Plugin Tracking Worksheet.


SBI! for WP
Susanna Perkins
Susanna Perkins is a writer who loves WordPress and travel. After several years in the beautiful Republic of Panama, she's back in the US (for now). She teaches non-technical people how to use WordPress, and writes about WordPress, expats and portable careers. Recently she's been working with a small team to create something insanely useful for WordPress users.
  • Oh my, what a nasty lil hacker! I hope those who had the plugin installed, have minimal cleanup. I’m glad to hear you mention Jetpack as a plugin because I always here so many dissing it. I love it!

    Thanks for sharing!

    • Susanna Perkins

      Thanks for your comments, Brenda. Jetpack is one of those plugins everyone either loves or hates. There doesn’t seem to be any middle ground. 🙂

  • Perfect Dashboard

    This whole situation is really awful. You’re doing your best to keep your webiste secure and then something like this happens.

    • Susanna Perkins

      It is awful. It brings hacking to a whole new level, and means we all need to be even more vigilant.

Join The SiteSell Community of Solopreneurs

Get the latest in best-practices and advice for your online business. Let each new article be delivered to your Inbox for free.