Every WordPress enthusiast knows that as much as he or she is into WordPress, many others shy away from it because they think that WordPress is not a secure platform. As explained in the article Is WordPress Secure the main problem when it comes to WordPress security is not WordPress itself, but several other factors.
The majority of WordPress hacks happen because users use weak passwords, or because they fail to keep their plugins and themes up to date. Sometimes I wonder how people fail to update their plugins when the dashboard makes it so obvious that the plugins you have installed need to be updated.
After seeing how the community reacted to a blind SQL Injection vulnerability in WordPress SEO plugin, it is obvious that if we use media more effectively we can encourage all users to keep their plugins up to date, thus eliminating a big part of the WordPress security problem. This article explains how media played a vital role in ensuring the majority of users update their WordPress SEO plugin.
WordPress SEO Plugin Vulnerable to Blind SQL Injection Vulnerability
Last week Ryan Dewhurst, the lead developer of WPScan identified a blind SQL Injection vulnerability in WordPress SEO. Considering WordPress SEO is one of the most popular plugins with over one million installations, the news easily spread. Everyone was retweeting tweets and sharing Facebook statuses, and most WordPress news websites talked about it, mainly urging users to update their plugin.
The community responded very well. On the day version 1.7.4 of WordPress SEO plugin was published, and the news reached the users the plugin was downloaded 233,655 times. Look at the graph below and notice the spike in downloads.
Learning from the Plugins Download Trends
Before this vulnerability was discovered, each time Yoast released an update of their plugin only around 50,000 users used to update the plugin on the first day. Since they released version 1.7 the downloads increased and neared the 70,000 yet nothing near the 200K plus that were downloaded last week.
It seems that scaremongering works; since the media made a lot of hype about this vulnerability many users reacted and updated their plugin. In fact before this vulnerability was released, only around 40% (or less) of the users where running the latest version of WordPress SEO, version 1.7. Though as off today, only 67.3% are running version 1.7 and some of which might not be running the latest version 1.7.1 which includes the fix.
Does that mean that the around 300,000 (30%) WordPress websites are still at risk? Even though this number is not accurate, since the vulnerability might not be in previous versions of the plugin (haven’t checked) it is still a bit worrying that so many WordPress administrators take such a long time to update.
The above statistics are a proof that it takes a lot for users to keep their plugins up to date. No wonder many people think WordPress is insecure. Imagine this vulnerability was being exploited in the wild, like it happened with others in the past.
The Benefits of Keeping WordPress Plugins Up To Date
Forget about security for a second. If you look at the changelog of WordPress SEO you will notice that all of the last 12 updates have bug fixes included in them. Such statistics are normal. For example if you look at our plugin’s changelog, WP Security Audit Log, you will notice that 11 out of the last 12 updates included bug fixes. Hence keeping your WordPress plugins up to date is not just about security. It is also about running the latest, most stable and efficient software.
Spread the Word – Let’s Improve WordPress’ Image
If you would like to see more people switching to WordPress and using it then you should spread the word each time there is a security issue, irrelevant if the plugin is popular or not. By doing so you ensure that more users are using the latest and most secure version of WordPress and that less WordPress websites are hacked, hence many more users will trust WordPress.
Why should you care about more people using WordPress? Simple, the more people use WordPress the better the products will be and the more work there will be for all of us involved in the community.