WordPress is one of the most popular CMS (Customer Management Software) platforms of all time, and for good reason. The overall ease of use and administration appeals to individuals, bloggers and small & medium businesses. Plus, it’s compatible with tens of thousands of plug-ins to help you perform tasks, transform data, aggregate analytics, grow customer lists, and effectively sell products and services.
With all that WordPress has going for it, the install base is in the millions — making it a prime target for hackers looking to take advantage of widespread vulnerabilities. Unfortunately, that’s exactly what happened when a backdoor into the WordPress administration was found in the Display Widgets plugin.
The Display Widgets plugin is currently installed on over 200,000 WordPress sites across the Internet. Worse, WordPress.org staff members may have known about this for a long time, and they didn’t take immediate action to stop selling it.
Did you know that a WordPress post is published every 19 seconds? – And that downloads of the platform were up over 500 percent in the last five years? WordPress now accounts for nearly 50 percent of websites on the Internet!
With hundreds of millions of posts, more than 36,000 WordCamp conference attendees, and installs in nearly 60 countries, WordPress is the “800-pound gorilla” of the Web CMS market.
Self-proclaimed as being the most flexible, customizable, and easy to update CMS on the market today, WordPress has moved beyond hosting blog pages to now powering websites for some of the largest and most exclusive brands in the world (like McAfee, Routers, CNN, NASA, Facebook and more).
Sure, the platform is relatively easy to use, but is it secure? This is the question that millions of users are asking themselves after the news broke about the vulnerability in the Display Widgets plugin.
However, if you own a small & medium business, you may not have the time to fully research these security concerns. You just want to know that your blog post is getting published as it should.
The intuitive and user-friendly interface is welcoming, but you must take the time research the vulnerabilities before you decide if WordPress is right for you. The same plugins that let you take advantage of new functionality in WordPress can also be your downfall.
Security exploits are nothing new for WordPress users, and the WordPress.org team addresses these issues regularly with security releases and patches. However, if you aren’t keeping up with security patches, vulnerabilities can provide unauthorized access to your systems.
Here’s a short list of WordPress security issues and when they occurred:
Although the plugin with the backdoor code vulnerabilities was removed from the WordPress store, a question remains: “Why was it added back to the store after the three previous removals for similar issues?”
This happened after the sale of the plugin from the author to a new distributor. It was revealed that the updated plugin was publishing false entries to WordPress sites— These were only visible to logged-out users and didn’t show up in the WordPress admin section. This was in concert with a user-tracking functionality that implicitly went against WordPress’s terms of service, and that sent personal information to a third-party server!
While WordPress continues to be an incredibly popular web CMS platform, it’s important to ensure that all plugins are up to date, and that the WordPress platform itself has been fully patched.
Want to learn more about maintaining a secure presence on the Web? Contact 403Tech Inc at (403) 215-7506 or [email protected]. Our security professionals will work with you to ensure your content, and site visitors are safe at all times.