It’s been a busy week for WordPress security, firstly a critical security issue was discovered in the very popular WordPress slider plugin; Slider Revolution, and just today an important security fix was released for Gravity Forms, another very popular WordPress plugin.
Whilst in both these cases the developers have responded rapidly to resolve issues (in fact the Slider Revolution bug was patched back in February 2014), the onus does fall on to the user to update their plugins. Failure to do so could leave your website vulnerable to attack. The Slider Revolution bug was particularly nasty, allowing a malicious user to download the wp-config.php file (or just about any file actually). The wp-config.php file contains all the database connection credentials so this was very serious indeed.
The problem with Slider Revolution was that this plugin is bundled with many themes, and in many cases users do not have direct access to the latest version of the plugin, having to rely on the theme author to update the theme with the latest version, and then inform their users to update. For many themes, this simply was not done or users were simply unaware of the need to update. This does highlight the potential for problems when bundling plugins with themes, and many WordPress developers believe this should be avoided where possible.
It stands to reason that right now there are many, many WordPress sites out there with a vulnerable version of this plugin installed and unless the site administrators actively monitor WordPress news and keep their plugins updated, they could potentially have a real problem on their hands.
However, WP NET customers can rest easy — we promptly scanned our servers for any instances of the vulnerable plugin and have either updated or disabled the plugin, we then contacted each site owner to inform them of the problem and offer advice and help.
Note that whilst updating WordPress plugins is not explicitly covered by our Managed WordPress service, we do cover important security fixes such as this, and we will always work to ensure that all our customer’s websites are as secure as possible.
Once again, Managed WordPress saves the day!