29 Aug 2023
It shouldn’t matter if you use a premium or free version of a plugin. The free version should also be safe! That is the responsibility of the plugin builder.
That’s how we think about it.
But…
Unfortunately, we have come across several examples that show that a premium / pro plugin is updated sooner in the event of a leak than the free version.
Various plugins have vulnerabilities not fixed for months in the free version!!
Some examples where the premium / pro version is more secure than the free version:
WordFence Security
WordFence is a plugin that protects your WordPress website. And yes, the free version is pretty safe and up-to-date as well.
But..
they update the free version once a month
As they say themselves “every thirty days“.
The premium / pro version you get paid for live updates. So immediately when it is needed. Both the files and the firewall that prevent hacks are kept up-to-date live.
iThemesSecurity
Also a plugin with which you secure WordPress. iThemes Security gives the paid version much more attention than the free version. A security update is implemented quite smoothly in the premium version but..
sometimes an exploit hangs for weeks to months in the free version
Various other plugins
There are many examples of plugins where leaks occur that the plugin builders get reported.
The patch (fix against the hack) will then be implemented in the premium / pro version after 5-10 days, but the free version will be left behind.
Sometimes a leak remains in the plugin for months after a leak is known and it even disappears from the WordPress plugins database
The good news
When free plugins are on WordPress.org, they will be removed until the leak is fixed.
There are several parties that report leaks to WordPress and there is a zero tolerance policy regarding leaky plugins.
A leak / exploit, what should I imagine?
Some examples of recent plugin vulnerabilities:
- The administrator leak
It often happens that a vulnerability in a plugin allows an administrator account to be created.
If a hacker or script has access with administrator rights, they can do anything they want.
Usually advertising is placed in your website, or a script is uploaded that allows advertising to be sent through your website to thousands of addresses.
And then the rest of the administrators will be removed. In short, you no longer enter your website to undo the hack.
It goes without saying that when this vulnerability becomes known, it must be resolved as soon as possible and must not sit in a website for weeks or months. - The database injection
Plugins often have input fields on the front-end of your website. Think of review plugins, contact forms, etc.
If those fields are not properly secured, a hacker or script can simply misuse them to put data in your database.
Within 1 second, such a script can create administrators in the database, implement text changes throughout your entire website, with all the consequences that entails. - The newsletter hack
Do you have a newsletter form? Where visitors can register? In the past, leaks in such plugins have been found that allowed the hacker to add their email address as a login address. This means that every registration of a visitor was also known to him. You wonder what a hacker can do with that, but large numbers of email addresses with names are worth money. Advertising is sent to it. There are people who buy lists of email addresses and first + last names.
Another leak that you don’t want to be exploited. You don’t realize it quickly, but your users suffer a lot because they get the spam. - The WooCommerce leak
Plugins that improve your webshop often have access to the database. Your database contains all the accounts of your customers. There have been several leaks in the past where plugins gave hackers access to the database and all customer information.
It goes without saying that such a hack must be fixed immediately or ASAP once it becomes known!
Who tests my website for leaks?
Of course you don’t expect your webshop to be tested often. And that a leak can therefore not be abused so quickly.
Unfortunately, this doesn’t work the way you think.
When a leak becomes known, hackers write scripts that work like this:
1. The script searches for webshops on Google (You are also listed there)
2. The script makes requests on the websites to the known leaky plugins
3. When the leaky plugins found, use the script that known vulnerability to perform a hack
Safe with a security plugin, right?
Even when your website is secure, such a vulnerability can still be exploited. Security allows the (out) operation of plugins, otherwise your website could not function! Keeping the plugins up-to-date so that there are no leaks is therefore very important.
Conclusion
Now that you know that plugin builders are more likely to make the premium / pro version more secure.. you should consider buying a premium. Especially if you depend on your website for income, or if you have a webshop with many customers.
Premium still does not guarantee 100% security, but the examples have shown that it does make a difference.
