Using Media to Improve WordPress Security

Last updated on March 16th, 2015 by Robert Abela. Filed under WordPress Security News

mediaEvery WordPress enthusiast knows that as much as he or she is into WordPress, many others shy away from it because they think that WordPress is not a secure platform. As explained in the article Is WordPress Secure the main problem when it comes to WordPress security is not WordPress itself, but several other factors.

The majority of WordPress hacks happen because users use weak passwords, or because they fail to keep their plugins and themes up to date. Sometimes I wonder how people fail to update their plugins when the dashboard makes it so obvious that the plugins you have installed need to be updated.

After seeing how the community reacted to a blind SQL Injection vulnerability in WordPress SEO plugin, it is obvious that if we use media more effectively we can encourage all users to keep their plugins up to date, thus eliminating a big part of the WordPress security problem. This article explains how media played a vital role in ensuring the majority of users update their WordPress SEO plugin.

WordPress SEO Plugin Vulnerable to Blind SQL Injection Vulnerability

Last week Ryan Dewhurst, the lead developer of WPScan identified a blind SQL Injection vulnerability in WordPress SEO. Considering WordPress SEO is one of the most popular plugins with over one million installations, the news easily spread. Everyone was retweeting tweets and sharing Facebook statuses, and most WordPress news websites talked about it, mainly urging users to update their plugin.

The community responded very well. On the day version 1.7.4 of WordPress SEO plugin was published, and the news reached the users the plugin was downloaded 233,655 times. Look at the graph below and notice the spike in downloads.

WordPress SEO Plugin downloads

Learning from the Plugins Download Trends

Before this vulnerability was discovered, each time Yoast released an update of their plugin only around 50,000 users used to update the plugin on the first day. Since they released version 1.7 the downloads increased and neared the 70,000 yet nothing near the 200K plus that were downloaded last week.

Scaremongering Works

It seems that scaremongering works; since the media made a lot of hype about this vulnerability many users reacted and updated their plugin. In fact before this vulnerability was released, only around 40% (or less) of the users where running the latest version of WordPress SEO, version 1.7. Though as off today, only 67.3% are running version 1.7 and some of which might not be running the latest version 1.7.1 which includes the fix.

Does that mean that the around 300,000 (30%) WordPress websites are still at risk? Even though this number is not accurate, since the vulnerability might not be in previous versions of the plugin (haven’t checked) it is still a bit worrying that so many WordPress administrators take such a long time to update.

The above statistics are a proof that it takes a lot for users to keep their plugins up to date. No wonder many people think WordPress is insecure. Imagine this vulnerability was being exploited in the wild, like it happened with others in the past.

The Benefits of Keeping WordPress Plugins Up To Date

Forget about security for a second. If you look at the changelog of WordPress SEO you will notice that all of the last 12 updates have bug fixes included in them. Such statistics are normal. For example if you look at our plugin’s changelog, WP Security Audit Log, you will notice that 11 out of the last 12 updates included bug fixes. Hence keeping your WordPress plugins up to date is not just about security. It is also about running the latest, most stable and efficient software.

Spread the Word – Let’s Improve WordPress’ Image

If you would like to see more people switching to WordPress and using it then you should spread the word each time there is a security issue, irrelevant if the plugin is popular or not. By doing so you ensure that more users are using the latest and most secure version of WordPress and that less WordPress websites are hacked, hence many more users will trust WordPress.

Why should you care about more people using WordPress? Simple, the more people use WordPress the better the products will be and the more work there will be for all of us involved in the community.

WordPress Hosting, Firewall and Backup

WP White Security is hosted on A2 Hosting, protected with BBQ:Block Bad Queries Firewall and backed up with BlogVault online WordPress backup service

4 comments

Ajay 16/03/2015

Isn’t WordPress facing the very same problem as most other sites or operating systems from earlier? People running Windows would not update it for security patches and would not run firewalls and anti-virus programs and then click on the million malware emails and then complained that the whole system was insecure.

It’s really good to see the 200k+ downloads for Yoast’s SEO plugin, but what worries me is that Yoast has 1m+ or maybe even more estimated plugin users which means many haven’t yet updated their plugin.

Additionally, the WordPress Plugins team automatically pushed the SEO update to many sites which definitely helped. But, again, I’m not sure if it’s included in the 200k updates.

There is a lot that needs to be done to get the word across and I’m hoping that we actually manage to do so. Education will help to improve WordPress security especially to stop the unsafe passwords!

Robert Abela 16/03/2015

Correct Ajay, there is a lot that we need to do especially when it comes to awareness etc though I am very doubtful that the majority of users will ever listen. Hence why it seems scaremongering works.

Igor 16/03/2015

Are you sure that these were all updates run by people? As far as I know, due to severity of this security risk, WP forced an automatic update for every website that had Yoast’s SEO plugin v1.5+

Robert Abela 16/03/2015

No not sure that they are all user updates as much as I am not sure that all of them are updates, i.e. some of them must be “new” downloads, hence it is very difficult to estimate exactly how many got automatically updated, how many users actually updated the plugin and how many are left vulnerable. Regarding the fact that WordPress forced automated updates for every website, did you get such information from a reliable source? Many installations are still running 1.4 or lower and I do not think WordPress “actually” can push such updates. I mean technically it is possible though for sure not ethical.

Leave a Reply

Your email address will not be published. Required fields are marked *