No, WordPress does not not turn you into Superman

A rant on the power and dangers of WordPress.

WordPress is a fantastic platform. It  allow novice web designers to create beautify website, and even e-commerce sites and other solve complex problems. But herein lies the problem…

We salute the novice web designers that take the leap of faith and then do miracles with WordPress.

We deplore the webmasters that believe they can fix any problem with yet another WordPress plugin. Over the years, we have seen many poorly written plugins that leave websites wide open to exploits. In one case an open source plugin got a new project owner, and that person then sneakily planted some exploit code. Webmasters: you must be discerning about the plugins and themes that you install to your website. And remove those plugins and themes that you do not use. Even de-activated plugins and themes may have code that can still be accessed via your website (refer back to my comment about poorly written plugins).

And then there are the many cases where the initial enthusiasm of a WordPress website fades, and the installation is left there without receiving any updates. This is a great recipe for getting your website hacked. Vulnerabilities are published, hackers pay attention, and soom your site will get hacked. Webmasters: you must keep your installations up to date. At least monthly.

This week saw a major vulnerability with the File Manager plugin for WordPress. An attacker could freely upload anything to a website that has this plugin installed. Attackers could upload spam scripts, plant viruses, access sensitive information from your website and (conceivable) other websites on the same server. File Manager has a free open source version, which is good and bad. The good part is anyone can see what it does. The bad part is that bad guys can also see what it does. The moment the File Manager team (somewhat quietly) released a security update this week, hackers where quick to use the vulnerability and start attacking outdated WordPress websites.

Lessons to be learned from the File Manager incident:

  1. File Manager is a pretty nifty WordPress plugin. But do you really need it? When you can already use the like-named File Manager function in cPanel or good old FTP available, why risk putting a file management script right there on your website?
  2. Keep your WordPress installation up to date. If you update it frequently, it will greatly mitigate risks associated with vulnerabilities like this one.

No. While your name may be Clark, you are not Superman. Get your head out of the clouds.