I sometimes wonder whether our clients think website maintenance and WordPress security advice are not really very important. But recent events with a popular free plugin have changed many people's minds.
Yuzo Related Posts was a simple plugin designed to keep visitors on your website for longer by suggesting more content that they might be interested in. Similar to most news websites at the end of a WordPress post it would show related articles.
It wasn't a particularly special plugin - there are many that do the same job - but it had a few useful features and worked nicely out of the box, so over 60,000 websites had chosen to use it.
On the 10th April, security analysts Wordfence posted news of a zero day vulnerability in the plugin. Essentially this meant that there was a security problem in the latest version of the plugin that people were using on their websites. Worse still, another security analyst had publicised the flaw online and so websites started to come under attack. Websites were being hijacked to forward users onto bogus external sites which featured contact forms to steal contact details from unwitting website users.
These are the moments that send chills down the spine of any website owner.
One of our Care Plan clients was (very briefly) affected by this. As it was being actively maintained by our systems, it was picked up by a routine security scan.
Security tools by Google and Sucuri failed to diagnose the root of the problem. The Yuzo plugin had been hidden from view in the WordPress Dashboard, making it impossible for a non-expert user to even realise it was running, much less remove it.
Within an hour of becoming aware of the issue we had patched the flaw and tested the site with three different security scanning systems to be sure that there were no lingering bad effects.
I dread to think what could have happened if it had been weeks or months until the issue had been addressed. I hope some of the other 60,000 website owners were as fortunate as our client.
It's awful that this is the world we live in now. But with software systems growing ever more complex, to the point that even Governments can't be sure they are getting secure services (I'm looking at you, Huawei), this sort of thing will only continue to happen.
How do I keep my WordPress website safe?
Please, take this as a reminder. Your WordPress website needs regular, ongoing maintenance on a monthly basis if you want your data and that of your customers and users to to be safe.
Here are some essential tips:
- Be wary of free plugins and themes. A special few, like Contact Form 7, Yoast and Jetpack, are well supported and regularly patched and updated. But there's loads of abandoned or rarely updated things in the WordPress repository that represent a potential security risk in the future.
- Keep your licences up to date for premium plugins and themes. If you're leaving software out of date, you continue to take risks with your site. If it's