BLOG

All you need to know about WP Plug-ins

01 Sep 2017
No Comments
wordpress-plugins

We all know that Word Press Plug-in is the heart of Content Management System (CMS).

WordPress is standing huge in the market for over thirteen years. It is persistent amid other platforms. This is possible due to the WP Plug-ins.

Typically from my personal experience of handling numerous security based battles, I would always like to recommend you to look in for the MRV – Most Recent Version. Once you are an MRV fanatic, then getting hacked won’t be a concern for you anymore, provided you must have a keen prospect of whether the current updation is affecting your other plug-ins in any way or the other.

 

How plug-in can break your website?

In this world, everything comes with a price and incorporating plug-in is a costly concern.

Let’s look at many factors to get a definite understanding.

The question which is lingering in many minds is, what are the minimum and maximum number of a plug-ins should we install on a website?. What will be the consequence of adding a many plug-ins?.

Installing a new plug-in, updating your existing plug-in and updating your WordPress, breaks your website. This even applies for huge sites too.

 

Downloading the plug-in:

I strongly recommend you to download the plug-ins from an authorized WordPress repository, as the source of your downloaded plug-in can impact on the quality.

Consider you are in search for a plug-in and install it from WordPress dashboard, it will always come from the wordpress.com/plug-ins repository.

If you install a plug-in from an unauthorized source, it naturally opens up the door for malware installation and intruders.

1) About the recent update

The primary thing to consider is to verify about the last update.

It’s the plug-ins which needed to be developed soon after the development of WordPress to keep in-line.

The security loopholes are to noted and everything that is affecting the security, must be updated constantly.

In a situation where a plug-in has been outdated since the previous year, an alarm must be raised.

A banner alert has to be made on the top of the page, considering a plug-in, not updated more than a year.

2) Test against your existing version of  WordPress?

Every time you download a plug-in, you can see a section providing information about the version compatibility.

The following can be viewed:

  • Version
  • Last updated
  • Active Installs
  • Requires WordPress Version
  • Tested up to

Always be conscious that, the version you are downloading is compatible with the existing version of the WordPress, as it may lead to many issues.

3) About the ratings

It’s all about the customer ratings.

Check if the star rating is more than 3.

I recommend you to go for a 4 star rating, as they would have come across an experience and exhibiting better performance.

4) About the support

Two common questions must be answered.

  1. Does the developer actively support the plug-in?.
  2. How good are they in responding to queries quickly and provide a solution for the same?.

 

Plug-in management:

Theoretically, WordPress can handle any number of plug-ins without impeding the performance of your website. Considering the speed of the website and the way it is getting affected, is one among the major factors to be dealt with.

Your hosting platform’s performance is one among the significant factors. Smaller bandwidths are offered by many hosting providers. This is where the frequent myth breaks with every consecutive plug-in. The same will be installed and the website’s speed is hampered.

It is inferred that, one of the regulators of your website’s speed is the hosting service. It’s wise that you remain cautious from the start.

The secondary factor is about how a plug-in is programmed. Sometimes your site crashes completely due to specific plug-ins. Improper coding is the only cause behind this.

While we install a plug-in we would have crossed various situations and they might affect and bring down your WP website in strange ways. If the plug-in works perfectly from the start, then it is said to be reliable.

Assuming that, you have got enough memory and hosting which is fast enough, you then have to focus on your trustworthy plug-ins for your website.

 

Why should we not install plug-ins for everything?

Plug-ins: A mandatory evil?

The usual reason for a lot of WP issues is your choice in plug-ins. Its a known fact that plug-ins are written by various developers with varying skills and you must be cautious which you install and how many you install.

As a usual norm, we suggest to maintain, the number of plug-ins installed, under 20 for the sites.

“The thumb rule is “the higher the plug-ins, the greater the risks of your sites to get hacked”.

Delete the inactive plug-ins completely and any active plug-ins, you don’t need anymore.

Memory

Many codes are executed to provide the page to their browser when people take a visit at your website. Also, the code which got introduced by your plug-ins, runs along. Because of this, your website might get slowed down and results in increased memory requirement.

Database and file system

Usually, almost all the plug-ins occupies a little space in your file system and several plug-ins uses your WP database to store configuration information and other related data. While you are choosing a lesser cost hosting service, the plug-in files wont occupy much space, which states that you must immediately fill your space which is assigned to you.

Management

Your plug-ins must be updated regularly.

Normally when you look for an update, you will be intimated about the direct link. But at many occasions the update might either break your website because of existing bug in the code or it might conflict with the other plug-ins.

Conflicts

Some of the plug-ins are written by the programmers in a way that it get conflicted with something. For example, a reasonable generic name is given to one of their plug-in variables. If this relates with a variable name of another plug-in being used in your website, then it causes issues for you. Not everyone are following the coding norms and standards which governs the plug-in development. As to plug-ins are considered, it’s not a bigger surprise that mistakes occurs in case of running the line of codes to many thousands.

It’s wise to have lesser plug-ins to reduce the conflicts.

Security

In a motive to be resistant against the vulnerabilities, the plugins must be coded, which are pieces of code. The risks of threat will be minimal if you manage your website by updating the plug-ins and the WordPress systematically. However, it takes time for the developers of plug-in to fix the threats and release an update. This time space creates an opportunity for the hackers.

Simply put, the less frequent you update your plug-ins and more the number of plug-ins used, the chances of getting hacked is definitely more.

 

What happened with the top plug-ins?

Revslider

Most Recent Version: 5.4.5.1 (StarPath) released on 10th July 2017.

Vulnerable Versions: If you are using a version (slightly/greatly) lesser than 5.4.5.1, then you are allowing breach into your most valued websites any moment now.

I will give you one example, which is the world’s most influential cyber attack, which attracted the global attention and how it was done using the vulnerability present in the WordPress RevSlider Plug-in.

We all, by this time, would have known about the largest data breach (in the history of journalists), into the Panamanian law firm, Mossack Fonseca (MF). The hackers made an intrusion via a vulnerable version of Revolution Slider and accessed nearly 11.5 million documents and weighing about 2.6 TB.

This data breach has brought down the Prime Minister of Iceland and made controversy among the Russian president and the British Prime Minister.

It was discovered that they were running an outdated version 2.1.7 which laid an easy path for the attackers. All the versions below 5.4.5.1 are prone to threats and hack-attacks may be possible.

It’s wise to stick to the MRV for your valuable website to have a healthy (non-threat) longer run.

W3Total

Most recent Version:   0.9.5.4

Vulnerable Versions: If you are using a version (greatly/slightly) lesser than 0.9.5.4, then you are allowing breach into your valued websites any moment now.

Two examples will suffice to elucidate how the WP W3 total cache was subjected to vulnerability.

(i) In the W3 Total Cache plug-in, vulnerability was discovered in the information disclosure part. One of the sensitive information like administrator’s session cookie is prone to hack-attack due to this issue. The moment when the administrator submits the support form, exploiting the vulnerability threat is highly possible in a very short time period.

A vulnerability was found in version 0.9.4.1

It was fixed in version 0.9.5

(ii) Another vulnerability was found in the validation of Amazon SNS messages in the W3 Total Cache plug-in. Service attack denial, might be resulted because of this issue, as it permits the hacker to execute various actions relating to the server’s cache.

A vulnerability was found in version 0.9.4.1

It was fixed in version 0.9.5

SuperCache

Most recent Version:  1.5.3

Vulnerable Versions: If you are utilizing a version (greatly/slightly) lesser than 1.5.3, you are allowing breach into your valued websites any moment now.

Two examples will suffice to elucidate how WP SuperCache was subjected to vulnerabilities.

(i) On the setting page, the WordPress plug-in, SuperCache patches cross-site-scripting vulnerabilities.

I have been saying this many times that it’s wise to upgrade if you are using an older version because in this case, those pages were accessible by admin users only and any unknown visitor can’t come along and steal your login cookies, but with those fixes comes many bug fixes.

A vulnerability was found in the version 1.4.4

It was fixed in the version 1.4.5

(ii) If the hacker manages to inject malicious code into the legacy cache metal files, then PHP Object Injection could occur. The WordPress Super Cache plug-in is subjected to a remote PHP code-execution vulnerability attack. Within the context of the web server, hackers can easily exploit this problem to perform arbitrary PHP code.

A vulnerability was found in the version 1.4.4

It was fixed in the version 1.4.5

Rocket

Most recent Version:   2.10.7 released on 2nd August 2017

Vulnerable Versions: If you are using a version (greatly/slightly) lesser than 2.10.7, your valued websites are prone to breach any moment now.

An example will suffice to elucidate how WP Rocket was subjected to vulnerability.

In the WordPress plug-in, Rocket, version 2.9.3, the LFI (Local File Inclusion) mitigation technique is to trim the traversal characters (..), but this is insufficient to put an end to the remote attacks and might be bypassed using (0x00) bytes, as demonstrated by a (.%00…/.%00…/) attack.

A vulnerability was found in the version 2.9.3

It was fixed in the version 2.10.4

  

What are the remedies?

  • As we discussed before, more plug-ins will draw attention of the hackers. The thumb rule is “Less will suffice” or “the higher the plug-ins the greater the risks of your sites to get hacked”.
  • If the plug-in update is one concern, the effect made by it to your existing WordPress and the theme is another concern. (Avoid this Caution: “This Plug-in has not been tested with your current version of Word Press”).
  • Always check for plug-ins with quality reviews, a 4-star+ ratings and an optimistic user experience from the community/forum.
  • Its highly recommended that you download Plug-ins from WPPR-Word Press Plug-in Repository, as some of the plug-ins can inject malware directly or contain security loopholes.
  • Lesser Scripts as loading too many scripts slows down the website.
  • Conflict between the plug-ins ultimately results in slowing of the website. Considering the fast load, the sites with complex codebase will load slower than the simpler ones.

 

Finally,

We all know that plug-ins play a vital role in WordPress websites.

Yet, it attracts many hacker intrusions if the security advice and practices were not followed.

Hope the information from this blog will suffice and if you feel, anything at all, that we have forgotten to mention, we are glad to receive it as comments.

I can sense that many are curious and willing to share their personal experience.

Please, do share them also for the benefit of visitors.

Leave a Reply

Your email address will not be published. Required fields are marked *