If you are familiar with WordPress, you must have heard of the free WordPress plugin repository. In essence, the repository itself is sort of a large digital warehouse that houses free plugins created especially for WordPress. You can simply plug them into the WordPress with a couple of mouse clicks and voilà – your WordPress website just got a shiny new functionality!
At the moment, the repository lists about 45 thousand plugins with over one billion and 240 million downloads. Each one of these plugins create a new functionality or in some other way modify or extend WordPress.
But, the question remains – are these plugins safe, who exactly creates and maintains them? What`s more, who runs the security checks before they even end up in WordPress plugin repository?
Creator and owner of WordPress at this moment is the Automattic corporation, together with its founder and original WordPress creator, Matt Mullenweg. Why is this worth mentioning? Well, unlike so many free open source solutions out there on the market, WordPress itself is in quite the good hands – in a firm corporate structure with clearly defined goals and values.
Inline with the rest of the Automattic digital properties, the WordPress plugin repository is also a well oiled and maintained machine. Each published plugin is manually checked before being available to the public.
But, does this guarantee absolute safety? Last couple of incidents provide a hint that not all is what it appears to be in the WordPress ecosystem. There are some loopholes that can be exploited, and, as a consequence, result in a lot of infected and hacked websites. Let’s take a closer look at the weak points of the WordPress plugin repository.
WordPress plugin authors
Yep, you guessed it – the weakest point of the WordPress repository (but also its greatest strength) are the plugin developers themselves.
Plugin authors are developers that come from the most contrasting backgrounds and environments. Anyone can create a plugin, which is just as good, as much as it poses a potential problem.
Don’t get me wrong, WordPress would not be all that it’s cracked up to be without its community of plugin (and theme) developers, so by no means am I bad mouthing the concept itself. I am just pointing out some anomalies that happen from time to time, that one should take into consideration before installing just about any plugin out there without even checking who developed it.
Anyway, the big majority of WordPress plugin developers are great coders with excellent programming skills and good intentions. But what about those with malicious intentions?
Life cycle of an average WordPress plugin
Like I mentioned earlier, every plugin is manually checked before being publicly available in the official WordPress repository. But, what happens after that?
Usually, things take one of two possible routes:
- Plugin becomes moderately to very popular and it gets downloaded by a large number of users. Developer then usually finds a way to monetize otherwise free plugin (through premium versions, different licensing schemes, custom development, etc.). The life cycle of the plugin is continued through regular updates and upgrading of its features (usually guided by user`s requests).
- Plugin doesn’t get picked up. Users don`t show sufficient interest for the developer to be able to keep up the motivation of maintaining it. Developer also doesn’t find a way to monetize the plugin, so the whole project simply dies down.
The second route is the one we want to take a closer look at. The anomalies I am describing happened through a plugin that took the second route.
Sucuri.net, one of the most famous (and best) internet security companies published an article on this topic. You can read more on the following link: https://blog.sucuri.net/2016/03/when-wordpress-plugin-goes-bad.html
I will try to simplify what happened with the mentioned plugin for the remainder of this article.
When WordPress plugin turns bad
As I`ve mentioned earlier, the average life cycle of a WordPress plugin usually has two routes. The second one, where it dies out, is the one we are looking at. The incident we are describing happened with the plugin called Custom Content Type Manager.
The plugin itself was developed during three years(!), downloaded by more than 10.000 visitors from the WordPress repository with an average rating of 4.8.
But, as the plugin lost momentum, the author abandoned it, and what followed was 10 months of silence (no updates or news about the plugin).
What happened next?
Well, long story short, after ten months of inactivity, the plugin somehow found itself in a not-so-friendly hands of a hacker with bad intentions. WordPress’s own team of investigators assume that one of two things happened:
- Plugin author sold his user account to the new author
- Plugin author abandoned the account, someone hacked it and took over the plugin
So, after ten months, a new version of the plugin was published.Only this time, the new version was shipped with a mechanism to collect information about WordPress user accounts (usernames) from websites that had the plugin installed. The plugin also collected the URLs of the websites.
After that, the hacker created a long list of websites, and prepared for the attack, that came swiftly and viciously.
The next step was to inject malicious files into compromised websites, through which the hacker gained complete access, and was able to upload any kind of content (advertising, banners, other malicious code, etc.). The sky was the limit. By controlling such large number of websites in such a way, hacker`s options are limitless (selling advertising, black hat SEO, infecting visitor’s computers, etc.).
So, there you have it – the what, the how, and the why.
A question remains – are free WordPress plugins safe?
Well, the answer is – yes and no. The plugin is safe to the same extent you are able to trust the plugin author not to take advantage of the fact that he/she controls what kind of code is executed on your website through his/hers plugin. In many cases, this is quite difficult to assess.
From the above incident, you can see that the problem had risen at the point of publishing new version of a particular plugin. The clever thing (by the hacker) was knowing that the existing plugins and their new versions don’t have to go through the same security measures new plugins do before being published.
The new owner of the earlier well trusted plugin injected malicious code, and infected a large number of websites. The owners, without knowing it, infected their sites by doing what they do normally – update plugins to the new versions through a single click of a mouse button.
How to protect yourself?
By democratizing and decentralizing how WordPress works, we have all received a wealth of benefits. We received an open and reliable web publishing platform that is practically limitless in its expansion possibilities, even for the non tech-savvy users. Even those that are computer illiterate, are able to update or even install a plugin and seriously influence the underlying code execution of their website to a great extent.
But, we’ve also gained the ability of having just about anyone creating a WordPress plugin. Back to the beginning of the article – this is just as good, as it can be damaging – WordPress plugins can be unstable, unreliable, poorly coded, or as the example above showed us, malicious in its intent.
Do you really need that plugin?
When our agency develops a website, we try to avoid using free plugins whenever we can. Of course, sometimes using freely available plugin makes sense either because the available plugin is so great you would have to develop something similar for months to be able to come to the same level of functionality. Other times, it just makes sense for the client, financially, to use a free (or even paid) plugin, just to keep the development costs at the desired level. In other words, there are times (and often) when you are better of using a proven plugin, than building something from scratch. In WordPress world, there’s often no need to reinvent the wheel.
But, as clients come to us with existing websites built with WordPress and ask for a redesign, we often see unnecessary plugins – plugins whose usage could have been avoided just by adding a couple of lines of code to the theme (or a custom plugin that holds other theme functionalities). This way, by lowering the number of plugins used on a particular website that come from unknown sources (let’s face it, even WordPress repository plugins are unknown to an average website owner or administrator), you are lowering your chances of getting infected or jeopardizing your website in some other way.
With great power, comes great responsibility
WordPress is great, and there’s a gazillion reasons why you should love it, and use it. But, you must also understand that managing a website in a way that you are changing or adding executable code, is serious business.
You should not take lightly the ability to place an unknown executable code into your website through a single click of a mouse. You should also take into consideration the extent to which you can trust a particular plugin developer, and to which extent you can comprehend what the underlying code does to your website in terms of security and stability.