25% of WordPress vulnerabilities due to 3 plugins

At OZON, we are huge WordPress fan because it is a very powerful, effective, and amazingly extensible platform which is why it is used by 59.6% of all websites. But there is a risk with any platform that is extensible trough the use of plugins in WordPress: that risk is from software vulnerabilities. According to a recent survey, 25% of vulnerabilities in WordPress are due to only three plugins, which ones?

3 plugins that could kill your eCommerce site

3 #plugins that could kill your #eCommerce site Click To Tweet

Indeed, according to a Sucuri survey released in May 2016, while the core WordPress package has had its share of security issues, outdated plugins are a main contributor, with three in particular comprising 25% of all WordPress vulnerabilities.

Which three plugins should you make sure are up-to-date? The culprits are TimThumb (dynamic image resizing), RevSlider (now Slider Revolution, simplifies creating responsive designs) and GravityForms(contact form creator) pleaded guilty.

breakdown of top outdated wordpress plugins« Almost 10% of the compromised WordPress sites that we analyzed had a vulnerable version of RevSlider. When you combine RevSlider, Gravity Forms, and TimThumb, they account for 25% of the total compromised WordPress sites. All three plugins had a fix available over a year, with TimThumb going back multiple years. »

We know there are automatic updates, but this would only work for the most basic of WordPress sites. Often, eCommerce sites are using customized themes and plugins which would cause a lot of pain if you had no control over the upgrade process.

How to get rid of WordPress plugin vulnerabilities?

How to get rid of #WordPress plugin #vulnerabilities? Click To Tweet

Before to answer to this question, we have to get in mind why do out-of-date plugins make your eCommerce site vulnerable?  Part of the reason for these vulnerabilities is that WordPress is fairly complex so interactions with plugins can produce unwanted and occasionally dangerous security issues. The other major reason is that the coding practices of third parties can be inadequate so dumb vulnerabilities such as buffer overflows and SQL injections can be part and parcel of some “must have” feature added by a plugin.

The solution to be secured for goods?

  • Update your WordPress site if you can
  • Re-license your older themes and plugins to benefit from last security fixes
  • Switch to newer themes and plugins and keep those up to date
  • Scan your eCommerce site with our free scanner to identify if you are still vulnerable
  • Protect your website with a robust cybersecurity solution like OZON to help block access to these particular vulnerabilities.

Régis Rocroy

Engaged in IT security at the beginning of the Internet revolution, I’m acting as security consultant and security architect for accounts in banking and eCommerce.