Click to enlarge
On May 10th, Wordfence released a compiled list of WordPress plugins which have not been updated in over two years and have had several reported vulnerabilities. All of these plugins are currently available for installation on the WordPress Marketplace. Wordfence states that these are issues that have existed for over two years, all of which have been previously publicly disclosed.
- A to Z Category Listing
- Blogstand Banner
- Dynamic Font Replacement
- Easy Banners
- FAQs Manager
- Floating Tweets
- Image Metadata Cruncher
- Page Showcaser Boxes
- Spicy Blogroll
- Starbox Voting
- The Crawl Rate Tracker
- ThinkIT WP Contact Form
- URL Cloak & Encrypt
- WP PHP widget
- WP Post to PDF
- Xorbin Digital Flash Clock
If you find that if you have one of these plugins installed, we highly recommend that you deactivate and remove it. This list does not imply that these are the only existing plugins with security risks.
Selecting a WordPress plugin
There are several points to consider when making the decision to install one of over 37,000 plugins available on the Marketplace.
- Check how many active installs the plugin has. If there are less than 1000, be wary. This doesn’t necessarily mean the plugin is vulnerable.
- Look through the Ratings and Reviews – the more stars the better.
- Scan the support page. If users are posting issues and the developer isn’t patching them or responding to the threads, the plugin may be subject to unresolved problems.
- Review the Changelog under the Development tab. From here you can review the version release notes and dates they were pushed out. It is suggested to avoid plugins that have not been updated for over a year.
- Check the compatibility. The plugins main page on the marketplace shows which version of WordPress the plugin has been tested up to.
Be sure to occasionally check the support pages of any plugins you are currently using. A plugin that is secure now doesn’t imply that there will not be any future vulnerabilities that can harm your site or your system.