It’s nice to be popular, but it can come with some rather irritating side effects. Take Windows for example; it’s globally-known, used by everyone from students typing up essays on their laptops to large corporations and everything in-between. But its success is also its weakness; with so many users worldwide, many of whom are relatively lacking in technical knowledge, Windows is the perfect target for the type of unsavory characters that are always on the lookout for software vulnerabilities to exploit.
Keep your WordPress site safe from exploits
WordPress may be not quite as ubiquitous as Windows (I think the install-base is off by a few zeros) it’s still far and away the most popular CMS, and its ease of use has made it the go-to solution for casual users looking to build their own blog or personal website. So naturally, its the juiciest fruit for enterprising exploiters looking to take advantage of a website’s weaknesses, both in WordPress itelf and its extensions.
For the most part of course developers are extremely careful to protect their releases accordingly, but everyone makes mistakes sometimes, and when you’ve got an install base of running into the millions upon millions, there’s going to be a steady stream of issues.
In fact, you can see the full scale of the vulnerability problem on the WPScan Vulnerability Database website; new issues are discovered almost regularly. Thankfully though, WordPress developers are a helpful bunch and will do what they can to patch up any issues as soon as they hear about them. For this reason, it’s worth loading your WordPress dashboard up with a few plugins or services that will help you keep your system safe and up-to-date, reducing the risk of your site suffering from any known vulnerabilities. Here’s a few we’ve dug up that will help you be as safe as possible.
WP Updates Notifier
A very useful plugin that will help you keep all your plugins updated to the latest versions mitigating the risk of a vulnerability being present. With it, you’ll be informed via email whenever a new update is made available for one of your installed plugins, so you can get updated ASAP. Once things become routine it can be very easy to inadvertently forget to check the dashboard for updates, but with this plugin you can stay on top of things. In addition, when a mail it sent it will also allow you to view the changelog of the plugin in question to check if it’s an important security bug-fix or not.
No Longer in Directory
Those folks who contribute to keeping WordPress running smoothly are the unsung heroes of websites. Their efforts ensure that each plugin, before it can be added to the plugin repository, is analyzed for vulnerabilities or other issues as per the rules of the WordPress.org repository that could affect users negatively. If such issues are discovered then the plugin may be removed from the repository to protect users from being affected by any exploits. Unfortunately, when a plugin is removed from the directory for being on the dodgy side, nobody will actually inform you of this fact. However, by implementing the No Longer in Directory plugin, you’ll have a helpful tool that not only advises if a particular plugin has been removed from the repository; it also will highlight plugins that haven’t been updated in over two years, which is a long time in WordPress development.
This plugin is similar to the WP Updates Notifier in terms of functionality, but with a specialist focus on identifying plugins in which vulnerabilities have been proven. When a plugin that has issues is installed in your site, it will show a message on the list of installed plugins advising of the issues, and there’s an option for sending an email when such issues are detected so you can be doubly-safe. However, something to bear in mind when using this plugin is that it is not constantly updated, so it may be the case that new vulnerabilities will appear as warnings 1-2 weeks after their initial discovery, which in case of vulnerabilities in popular plugins may be too long. For that reason, don’t rely on this plugin for all of your vulnerability-hunting needs; diversify your sources!
This plugin can be extremely useful when you’ve updated your theme or plugin (especially if you updated in haste because of a security fix) and find that it’s managed to break your website, such as, for example, via the API changes included in the update. With WP Rollback, we can go back to any previous version of a given plugin, as long as it was published on the official WordPress Plugin repository. This is rather helpful since doing this manually would take much longer and be extremely boring!
Undoubtedly though, this is not a magical solution to all such problems so it’s a really, really good idea to make sure you’ve got a complete backup copy of your website just in case a plugin update modifies the structure of the data in the database, which would complicate rolling-back somewhat
Central management of WordPress
If you’re managing more than one WordPress installation, then you might want to consider taking advantage of one of the many services offering centralized management of WordPress – thanks to such services, we may update our plugins in multiple WordPress installations from just one place, such as:
- The Central management panel of WordPress, associated with the Jetpack add-on.
- ManageWP – A dedicated central WordPress management service to control several websites from one dashboard.
Ensuring the safety of WordPress when you’re running many extensions undoubtedly requires lots of attention, but with the right tools and plugins you can solve many problems, such as: updates, vulnerability detection and monitoring a plugin’s status in the official repository. However, we need to keep in mind that despite everything, the best protection against plugins vulnerabilities are often backups of our WordPress installations, tedious as that may sound.
We hope this article has given you some food for thought, and if you’ve run into a plugin that you found helped you keep your site safe, we’d love to hear about it in the comments below!