Have you heard? There have been concerns over the security of some very popular and regularly used WordPress plugins and themes recently? Joost de Valk of Yoast.com – a programmer of plugins himself, has determined the misuse of the add_query_arg() and remove_query_arg() functions.
To most people this probably doesn’t mean a great deal, but it is important to anyone running a WordPress website. The presence of such code in plugins and themes commonly used in WordPress means that a large number of websites, may be open to Cross-site scripting or XSS vulnerabilities.
Cross-site scripting/XSS vulnerability does enable hackers or bots to inject client-side scripts into Web pages viewed by other users, essentially bypassing the WordPress login details usually needed to access the WordPress admin panel and make changes to website content.
The developers of the WordPress plugins and themes concerned have been made aware of the vulnerability on various developer forums and in the next few weeks/possibly months, they will be working to clear their code of these vulnerabilities.
What steps can you take to prevent against the Cross-site scripting/XSS vulnerability?
As with any WordPress website, it’s imperative that the version of WordPress and the version of the plugins or themes you use, are regularly updated as each new release is made available.
When adding new plugins or themes to WordPress, it’s important to check the release date of the software, as the announcement of this vulnerability was made on 20th April 2015, so if the release date is after that date, the odds of downloading a plugin or theme which has inherited this vulnerability is reduced, but a quick message to the developers should alleviate any concerns you may have.
If the release date is prior to 20th April 2015 and the developer does not respond, it may mean that the developer has moved on and therefor the plugin script has not been updated recently and the use of this plugin may render WordPress vulnerable to a compromise. However, not all plugins/themes contain the script that would make them susceptible to this vulnerability, the safer option might be to consider an alternative plugin or theme, from another developer.
Which plugins and themes are affected?
No specific themes have been named but the list is vast. The plugins mentioned in the announcement are as follows:
Jetpack
WordPress SEO
Google Analytics by Yoast
All In one SEO
Gravity Forms
Multiple Plugins from Easy Digital Downloads
UpdraftPlus
WP-E-Commerce
WPTouch
Download Monitor
Related Posts for WordPress
My Calendar
P3 Profiler
Give
Multiple iThemes products including Builder and Exchange
Broken-Link-Checker
Ninja Forms
If you use any plugins not listed above, you may wish to contact the developers of the plugins to address any concerns you have, most developers have very active support communities and are happy to help keep your website running safely.
The post Are your WordPress plugins and themes up to date? appeared first on names.co.uk blog.