Finding Secure WordPress Plugins

Having an updated WordPress core site doesn’t do anything for security if you are running plugins that are not secure. Plugins run at the same authority as WordPress itself and it only takes one bad plugin to risk your whole site’s security so you want to be sure that the plugins that you have are not risky. While there is no good assurance for plugin security other than a security code review which could be very costly, there are some basic due diligence items that you can research and determine a plugin’s stance in relation to security and vulnerabilities.

  • Review the author’s homepage and background. Do they have a history of secure code? Do they have independent 3rd parties review the code for security vulnerabilities? Do they state that the code is secure?
  • Identify who is behind the plugin. Is it a professional plugin author that has time and expertise to create a secure plugin and maintain it? Is it someone that is learning how to code by providing a neat plugin?
  • Are there any open vulnerabilities for the plugin? Use your favorite search engine and search for [plugin name] + vulnerability or [plugin name] + exploit. Not every plugin will have a vulnerability so don’t be fearful if you don’t find anything.
  • Review the plugin’s changelog. Does it involve patching of security vulnerabilities? Once again, not every plugin will have a vulnerability so don’t be fearful if nothing is listed.
  • Determine if the plugin is maintained. If the author(s) don’t update it to maintain compatibility or feature updates, then it might be abandoned and in the case of a security issue were to come up, you would be out of luck for a provided fix and left to address it yourself.
  • Review the user ratings and comments. Are they responsive and have high support levels? While this is not specifically a security question, it does provide insight into the responsiveness and professionalism of a company. It could translate into security responsiveness if an issue were to come up.

What other due diligence review items do you go through?

Target Store Data Breach

Brian Krebs originally posted yesterday that Target is investigating a data breach. Today Target confirmed that 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013! Ouch. As the impact is so wide, it would either be an inside job or the internal servers were breached.

What should you do if you were on of those that shopped and bought something at Target recently?

  • Check your online statements for unknown charges. If you report a charge in a timely manner, the card company will not likely hold you accountable for the charge. But do check up on it because the longer a charge goes without question, the more likely you will be responsible for some dollar amount.
  • Replace the card. Call up the company and request new numbers.
  • Enable the fraud alert on credit companies
  • Create an Identity Theft Report with the Federal Trade Commission

Even if you weren’t impacted, this is a good reminder to check your credit scores and make sure everything is accounted for. Annual Credit Report gets it to you free due to Federal Law.

How to Maintain WordPress Software Security

Just as your desktop software, you should keep your WordPress software up to date as well. With WordPress running a majority of websites now, more attackers are looking for vulnerabilities as it would have a high return rate for them. There have been various vulnerabilities identified with WordPress in the past, and they have a good track record of addressing them in a timely manner.

If you have a recent WordPress installation (3.7 or above),  then you likely have automatic updates for WordPress core already going. That is certainly good news as its one less thing to remember, but I generally don’t like automatic updates because it doesn’t give you the ability to test and make sure your site is fully working.

As to your plugins and themes, you will want to make a habit out of logging into the WordPress admin panel and check for updates at least on a monthly basis (just as you should be doing with your normal desktop updates). Or if you want to take the automatic updates approach for plugins and themes as well, there is a plugin called Advanced Automatic Updates which will do that activity for you.

Also note that some web providers / hosts perform updates on your behalf already, so you should understand the built in options at a server and host level.

How to Know When New Security Patches Exist

While the built in tools are made to help you get notifications of new security updates, you might not notice them in a timely manner due to various factors. One way to stay up to date on when security patches are released is to subscribe to security notifications from the vendors or utilize a service that aggregates all the security information.

This is not a complete list, but a simply a list of the top vendors you should be aware about as the attack surface with those products are incredibly high.

Email or RSS based security notifications:

Where to Find Software Patches?

This will vary to what operating system and applications you are running. Based on the most common software products in use for Microsoft Windows based machines, Adobe Reader, Adobe Flash and Oracle Java are the top products have frequent updates for security patches.

Microsoft releases their security updates every second Tuesday of the month. This well-known release schedule for security updates will help you plan their deployment updates accordingly. On occasion, Microsoft will release a fix out of the standard schedule when a critical vulnerability has been identified and likely being exploited in the wild. Using the Windows Update control panel will take you through that process.

Adobe has adopted the “Patch Tuesday” Microsoft model to release their security updates on. This originated from customers wanting a single patch cycle to make it a bit easier to maintain a fully patch system. Adobe has a built in update tool with their Flash and Reader software. The Adobe Flash Player Distribution page and Adobe Reader page have direct download links.

Oracle releases Java updates three times per year in February, June and October. As the updates are concentrated in batches, they likely include a large number of security fixes. On occasion, Oracle will release an out-of-band security fix for high impact vulnerabilities. Using the Java control panel will take you through the update process.

As a good practice, I would make sure your computer is running the latest software every month.

Why Should I Apply Software Patches?

One major factor to your computer’s state of security is what software you are running. The more software in use, the more potential issues could be leveraged from an attacker. The top cause for a computer to get exploited is from running older versions of software which in turn have known vulnerabilities in them. This is why it is incredibly important to keep your devices up to date with updates. From operating systems, to applications, to browser plugins, you should maintain your computing environment to have the latest security updates. Vulnerabilities are identified frequently in products, which is why vendors put out patches to address them.