WordPress plugins unquestionably serve a genuine purpose of helping webmasters extend their website’s functionality above and beyond the defaults. However, they also make the website vulnerable to certain issues, and website security rings the loudest among them.
Below, we bring forth three such immensely popular plugins that have been found to be more susceptible to intrusion attacks and need to be dealt with at the earliest:
1. MailPoet
If you are running your website on WordPress and have been pretty serious about building your email list, then MailPoet is a plugin you have either already heard about, or are already using it. In the latter case, you are accompanied by 1.7 million webmasters who have downloaded this plugin at one time or the other.
However, despite of it being a pricelessly important tool for building newsletter, MailPoet has been marred by some seriously grave security issues. And the seriousness can be deduced by the fact that this plugin can hand over the absolute control of your website in the hands of a hacker – a scenario which is even worse than a nightmare.
The Web security company Sucuri recently detected a remote file upload issue with MailPoet which implies that any coder, irrespective of the fact whether he is authorized on your blog or not, can upload a file on your server which is vulnerable, to say the least.
Sucuri claims that it is a myth that only the admin of a website has the privilege to call the WordPress admin_init hooks whenever he/she accesses the /wp-admin directory. The truth however is that anyone who makes a call to the /wp-admin/admin-post.php can get this hook in action. The particular user need not be authenticated. And once this hook is called by the unauthorized users, they can play around with the website at their own will as they get the wherewithal to implement just about anything.
- Why are Webmasters Still Persisting with MailPoet
In an age where email marketing is making a resounding comeback, building an email list and generating newsletter has come back into fashion. As the digital marketeers of the world are relying more heavily on the email way of reaching their targeted customers, MailPoet has emerged to be the de facto tool of achieving that effortlessly and much more formidably. It also equips them with facilitating post notifications and has the provision for auto-response.
So, if you are also running one of those millions of sites using the MailPoet plugin, get it updated right now to thwart this threat and make your website secure.
SEO is is indispensable aspect of any website. But if it comes at a price in the form of security risk, you need to stop, and introspect. All in One SEO is easily among the most sought-after SEO plugins but the Sucuri experts reported last month that there is a privilege escalation vulnerability with the plugin and it can allow the unauthorized user make modifications to the title tags, the meta titles and descriptions and more, thus hampering the website’s search engine ranking.
Also, it can let the hacker inject a JavaScript bug that can give them the right to change the admin accounts details like the username and password or create some backdoor entry to it. However, there is the latest update available for this plugin which is deemed to take care of this issue and make your website more robust against the bug.
“Cross-site request forgery flaw” – this is the threat websites using the Login Rebuilder plugin face. As per the experts, when you are logged into your WordPress website and while at it, you access some page that has a malicious code injected to it, you would unintentionally allow the hacker to hijack your session and thus he or she can access or modify confidential information that can have serious repercussions on your site. Update this plugin and you will make your site more secure.
Keep the Website and Plugins Updated
Sucuri has conclusively said that the primary reason behind these increasing vulnerabilities is the fact that webmasters don’t bother to update their website or the plugins. If you are running an outdated cPanel or a WP theme/plugin, you are making it a pleasant romp for hackers to break into your website.
*Note: The article above is work and thoughts of the author.
Daniel says
Ben,
Thanks for making us blog owners aware of this.
Bauke R. says
I didn’t know MailPoet yet but thanks to this post I’ve tried it out: I’m hooked! Thanks for sharing Ben! :)