Every webmaster’s least favourite topic, security vulnerabilities, has popped up yet again. A newly discovered Cross-site Scripting (XSS) issue with some of WordPress’s top plugins is causing many plugin developers to rush out updates to their software
There’s no reason for widespread panic, but you should be prepared to update any WordPress plugins as soon updates become available to ensure your risk of vulnerability is as low as possible.
Below are a few of the plugins that have been updated to fix this vulnerability – here are many more so don’t think for a second that if you aren’t using any of the plugins listed, there’s nothing to worry about.
- Sucuri security notice
- Yoast post
- Jetpack post
- Easy Digital Downloads post
- Gravity Forms post
- Ninja Forms post
- WP eCommerce post
- UpdraftPlus post
- iThemes Exchange post
- Aesop Story Engine post
- Download Monitor changelog
- All In One SEO changelog
- My Calendar post
- Give changelog
- Broken Link Checker changelog
- WPTouch changelog
- P3 Profiler changelog
- Related Posts for WP changelog
- Link Library changelog
- Google Analytics Top Posts Widget changelog
- Bilingual Linker changelog
- Ultimate Member changelog
- Piklist changelog
- Seriously Simple Podcasting changelog
- Cachify changelog
- bbPress post
- BuddyPress post
- BuddyDrive changelog
- Sprout Invoices changelog
- WP Idea Stream changelog
- Church Themes Content changelog
- AppPresser changelog
- WP to Twitter changelog
- WP Print Friendly changelog
- TGM plugin activation changelog
- All In One WP Security changelog
- EventOrganiser post
- The Events Calendar post
Basic Security Practices To Keep In Mind
This new vulnerability is a good reminder that no software is perfect. Common sense plays such a large role in security that it’s sometimes hard to see the forest for the trees. Check out our article on Optimizing WordPress for a few great tips on things you should do for each and every WordPress website you run. It’s not the be all and end all of WordPress security, just a few tips that should help make things more secure.
If you don’t feel like reading a whole article on WordPress security (fun, right?) we’ve compiled a quick list of things you should do to keep things secure.
- Patch. Keep your theme and all plugins updated. Always.
- Users Are The Weakest Link. Remove any WordPress users that are not actively in use. And ensure that all current users have secure usernames and passwords. WP Password Policy Manager is a good way to enforce good password habits on your users.
- Admin – Seriously? This one should be obvious – if you still have a user with a username of ‘admin’ you should change it RIGHT NOW. That is akin to handing out a copy of your bank card to every stranger you meet, all they have to do is guess your password and they’re in.
- Monitor Your Logs. This one is a bit of a stretch, I get it. I also know that you’re not going to do it (I sure haven’t ever done it myself). It’s still good advice though.
- Only Use What You Need. Only use the plugins AND theme that your site really needs to function. Sure Hello Dolly is loads of fun, but really, is it necessary?
Any great tips we have missed? Let us know in the comments.