Plugin Updates

  • Creator
    Topic
  • #2121
    Rebecca Gudgeon
    Keymaster

    Hi all.

    I just wanted to drop here a reminder to you all to update your plugins on a regular basis. This is important because most often, the updates being provided are in fact security patches, ie new bits of code that are being added to counteract any vulnerabilities that have been discovered or developed within the plug-in code. This happens because there are always hackers out there, trying to get access to sites and information illegitimately, and because there are also cyber-security superheroes out there trying to protect us (they don’t all wear capes). I would recommend that you keep an eye on the Wordfence blog:

  • https://www.wordfence.com/blog/
  • and/or subscribe to their newsletter, which you can do from that same page. There are other security experts out there, and please do go exploring to find out more, but Wordfence is a great place to start – and honestly, it really does get quite fascinating and addicting, once you get into it (…no? only me then…??!).

    I’m posting this message today because I note that there has recently been a ‘high severity’ vulnerability discovered in one of the maintenance mode plugins – well, it was discovered 4 days ago. The Wordfence Threat Intelligence team found the problem, and notified the owners of the plugin, who issued a fix the following day. Once this update was available and the software thus secured again, then the vulnerability was announced, via the Wordfence blog. This is a standard protocol – the vulnerability is announced publicly only once it has been brought to the attention of the developer first, and they have had the opportunity to provide a solution. This helps to maximise protection of the sites using the plugin while the patch is being developed – but once the announcement has been made, that means that the sites which are running the older version of the software are then even more vulnerable, until they have applied the update.

    I don’t think in this case that it’s one of the plugins that I’ve ever recommended to any of you – but that’s not to say you couldn’t have found it yourself, or that it couldn’t happen to another plugin, maybe to one you do use. It can, and does, happen to lots of plugins all the time, which is exactly why there are so many updates appearing in your dashboard on a regular basis – because those unscrupulous types are continually searching for and developing new ways to get access to sites and to information. It is essential to your site security that you do these updates, and if you are interested to find out more about what each update does (eg to see whether it is a security fix), you can do so by going to the plugin’s page on the WordPress Plugin Directory: from your dashboard, you can either go to Plugins – Installed Plugins, and then click on the View Details link after the plugin description, or you can go to Plugins – Add New, and then search for your plugin by name.

    I would recommend logging into your site at least once a week, to check for and action updates. If there aren’t any that need to be done, that’s great, but I think most weeks you will find something or other does need updating, and by completing those updates promptly, you are keeping your site more secure. It also means that you will have access to optimally-functioning plugins, making your site experience smoother and smarter for visitors, as well as for you in managing it.

    I hope that’s helpful. Do you have any questions about keeping your site secure? Please add them here – it could be a question that someone else wants the answer to as well.

    Thank you,

    Rebecca.

  • You must be logged in to reply to this topic.