20% Of WordPress Plugins Are Vulnerable
Just when you thought your WordPress blog was safe, a new string of WordPress plugin attacks happens. Checkmarx, a security company, has just released a report stating that 12 out of the 50 most popular WordPress plugins are highly susceptible to attacks. What kinds of attacks? Namely, QL injection and cross-site scripting.
Around 8 million people download some of the popular 50 WordPress plugins mentioned in Checkmarx's list. That's a large percentage of the WordPress population that may soon find themselves under attack. Why have these plugins become so vulnerable?
20% Of WordPress Plugins Are Vulnerable: The Problem Is With PaaS
Checkmarx has found that the reason why many WordPress plugins are facing attack is that these plugins aren't thoroughly tested by PaaS providers. This lack of security testing leads to attacks, and this provides a whole bunch of problems for WordPress users downloading seemingly harmless plugins.
It is largely assumed that downloading a plugin from a site like WordPress is safe. This is a false assumption, though. Site admins should consider the safety of each plugin prior to download – and a careful eye should be kept on security reports like the one that Checkmarx has released.
20% Of WordPress Plugins Are Vulnerable: Scanning for Vulnerable Plugins
The best way to avoid a plugin attack is to scan all plugins for security issues prior to use. Checkmarkx also advises all WordPress users to get rid of old or unused plugins. Even if plugins aren't used, they are still part of a site, and this means that they are still vulnerable.
If you're thinking that the amount of coding also has something to do with plugin security, think again. Checkmarkx has found that many of the vulnerable plugins only contain a few thousands lines of code. So, it doesn't necessary equate that massive lines of code result in more attacks.
On the platform provider end of things, these companies should be scanning any new plugins thoroughly, but this doesn't always happen. At the very least, you can protect your site by making sure that you've checked each plugin for possible vulnerabilities.
Questions? Comments? Leave me a note below.