The Social Warfare sharing plugin suffered from a major vulnerability issue this week. Hackers exploited a flaw in the code to execute a cross-site scripting attack, redirecting website visitors to malicious sites. Wordfence was quick to notify their email list, and they delayed publishing the details until a fix was released. However, there was at least one site publishing the details of the vulnerability before the fix was released.
To their credit, Warfare Plugins released a fix within about two hours after they learned of the issue. Unfortunately, this hole was out in the wild and was actively being exploited.
As this is commercial software, one has certain expectations—that the team is actively checking the software for security holes for instance. If you are building sites for clients, you may not have the bandwidth or capability to check every line of source code in the plugins that you use. It really would not be feasible to do so unless you had a full-time security person. There is a certain level of trust that we as developers place in the companies that build the software. Something like this shakes that confidence.
I’ve used this plugin on both client sites and my own. I’m undecided whether I will give it another go after this security hole or not. I need to hear some more information from Warfare Plugins on how this happened, and what steps they are taking to prevent future issues.
Where does that leave you?
This stresses how important it is to have a plan in place for WordPress site management. Actively monitor your site for updates or hire someone to do it for you. Apply WordPress core and plugin updates as soon as possible. Apply any security updates immediately.
Be selective of the plugins you install in the first place. Only use plugins that are regularly updated. Do not install plugins that are abandoned. Be wary of plugins that have a small number of reviews or a lot of negative reviews. Regularly audit your site and deactivate and remove old or inactive plugins.
Make sure you have a disaster plan. Have a backup system in place and test it out. Backup the site, and try a test site restore to make sure it works. Do this before a disaster! You don’t want to have a problem and then realize your site backup system was not working.
As part of your strategy, you should use a high-quality WordPress specific webhost. Many of the modern WordPress hosts out there will have a server level firewall and other restrictions that may block some of these attacks. Depending on your needs, you may opt to use an application level firewall such as Wordfence.