Disclaimer: Any products/services mentioned or recommended below are suggestions based on our own experiences. We have no affiliation with any of the products or services mentioned and you should always thoroughly and independently research your options to decide what is best for you.
November has been, well, a bit of a chaotic month for the world of WordPress. There have been several significant vulnerability discoveries with popular plugins that many websites use, leading to a spike in hacked websites.
The problem is, even if you have done the hard work to harden and secure your website, a plugin vulnerability can still allow a hacker straight through the front door if you’re even a day or two behind on running your plugin updates.
as in staffIn this article we explore 2 things. First, we’ll run you through the vulnerabilities that were discovered this month, so that you can see whether you were affected or not. Second, we’ll run you through the best practices to ensure you’re safe over the coming months as new exploits come forward.
November Vulnerabilities Thus Far
The first big vulnerability that hit the community was on the 8th of November and affected the WP GDPR Compliance plugin. A reasonably popular plugin due to the new privacy laws that came into effect earlier in the year for websites with European audiences, the exploit affected over 100,000 WordPress websites. This breach suddenly meant that a new form of attack became known to the hacker community, and trends have been emerging ever since. It’s unfortunately likely that this same form of attack will be used against other plugins in the weeks and months to come. You can read the proof of concept here.
The second vulnerability hit the AMP for WP plugin on the 13th of November. This plugin once again is installed on over 100,000 WordPress websites. It has since been patched, and users should ensure it is updated as soon as possible. You can read the proof of concept here.
The third and final (so far!) vulnerability to hit the mainstream was a big one. The Yoast SEO plugin was found to be exploitable on the 20th of November and affects well over a million websites. The limitation to this, however, is that the exploit is only possible through users on a website who have been assigned the “SEO Manager” role. You can read the proof of concept here.
If you have any of these 3 plugins installed, it’s time to update your website and run a security scan using a plugin such as WordFence.
Best Practices For Staying Protected
There are a few things you can do to ensure you’re as protected as possible, even against plugin vulnerabilities.
Get Real-Time Malware Protection
First of all, an investment in WordFence Premium can never hurt. WordFence Premium users get additional real-time protection, as the WordFence team will push out protection for exploits as they become known. This means that your site can still be protected even if you have an out-of-date, vulnerable plugin installed. WordFence Free users will get the same benefit, however with a delay of 30 days, which leaves your website vulnerable for quite a long period of time if you haven’t been keeping up with your plugin updates.
Get An Uptime Monitor
Monitoring your website’s uptime can be a handy tool to know the moment it goes down, rather than stumbling upon it the next time you visit. You have a range of options from free to premium. We’ve had great experience so far with ManageWP and their uptime monitor tool if you’re looking for something simple and efficient. Pricing sits at $1 USD per website.
Ensure Your WordPress Admin Email Is Up To Date
A common feature of recent exploits has been the creation of new administrator users. The quickest way to learn that this has happened on your website is to receive the email that WordPress will automatically send when new users are created. It’s therefore very important to ensure you are receiving these notifications. You can check what your email is in your WordPress settings by visiting your dashboard, then clicking on “Settings” on the left-hand menu.
Update, update, update!
One of the most critical steps to protect your WordPress website is to ensure you’re frequently installing core, theme and plugin updates as they become available. Set a reminder for yourself, or use a tool such as ManageWP to run your updates automatically.
Back It Up
And finally, in case something does go wrong. Please ensure you have a plan B in place. It’s important to keep your own backups in place, and only rely on your web host’s backups as a last resort. Check out tip #1 in our WordPress protection guide for more information on how to set up a backup system.
That’s it from us for this week. As always, if you have any questions about this post or our shared hosting, VPS, Reseller or dedicated server plans, simply call us on 1300 MY HOST (694 678) during business hours, or submit a ticket through our Support Portal and one of the crew will be in touch!