WordPress Security Issues Worse Than Thought

• By Sarah
• General News
• 2073 Views
• 03rd March 2022

Whatever platforms your website uses, there is always some risk that there will be undiscovered flaws in the programme or code that could be discovered and exploited. WordPress is no exception in this; nor is it unique.

This reality highlights the need to make sure you work with a WordPress development agency who with expertise and skills to swiftly respond to any flaws in the systems you are using, in order to swiftly close any loopholes in your defences and prevent any vulnerabilities being used by cyber criminals to launch an attack.

A sobering reminder of this has emerged this month after a series of vulnerabilities were discovered in WordPress themes and plugins, with the extent of the problem found to be greater than originally known.

As Tech Radar noted this week, over 300,000 WordPress sites have been left at risk of attack due to flaws in AccessPress, which develops themes and add-ons for the site builder. Jetpack, a security and optimisation tool for WordPress, spotted that a malicious agent had managed to compromise the application – and with it the 40 themes and 53 plugins it has built.

This means all the free applications have been compromised, ceding full control of websites to the attackers. It has not yet been established if the same applies to commercial sites.

Although plugins and themes downloaded directly from WordPress are fine, any downloaded from AccessPress since September 2021 need fixing.

It is in situations like this where significant admin support is needed, as admins will need to check their systems thoroughly for any signs of compromise related to their plugins. Jetpack has warned that simply updating to a new version won’t remove the vulnerability and therefore a clean version of WordPress will need to be installed.

This discovery comes after security flaws were also found in a commonly used WordPress plugin called WordPress Email Template Designer – WP HTML Mail.

This is a plugin that normally performs the very useful function of making it easy to design custom emails for sites running on the WordPress Website Builder and around 20,000 sites use it, but the Wordfence Threat Intelligence team has found a vulnerability in it that could lead to sites using this function running malicious web Javascript scripts against visitors.

Wordfence issued a patch for the plugin on January 13^th. However, it has somewhat staggered its provision of firewall protection against exploitation of the flaw, with premium service users getting this cover as long ago as December 23^rd. Free service users, however, did not get it until January 22^nd.

All this might convey the impression that WordPress is more vulnerable than other applications. But there is no particular reason to think this. Any platform that is going to be used by a lot of firms and organisations for their website and publishing needs will by definition be targeted by cyber criminals hoping to achieve their malicious goals.

What ultimately matters is to work with white label as a service vendors who know what to do when such issues arise.