You have just created a beautiful website with a nice theme and various plugins, and then your website gets hacked!
That’s incredibly frustrating! It has happened to us dozens of times too, even with all the knowledge we have.
What if it turns out that your plugin or theme has a vulnerability, and the developers are not taking any action, even after being informed about it? Even when you’ve paid for the plugin or theme, the developers might not respond to your requests for fixing the vulnerability.
Why don’t developers take action?
Theme developers are not hackers or security experts; their main focus is often on making as much money as possible. This might sound harsh, but unfortunately, it’s the reality.
What can you do now?
You have two options:
- Replace the vulnerable theme or plugin with a new one.
- Ensure that the vulnerable plugin cannot cause any harm.
Executing Step 1
You remove the vulnerable plugin or theme from the server using an FTP program to ensure that the vulnerability is completely removed. Then, you look for a new theme or plugin and hope that it does not contain any of the 4000+ known vulnerabilities.
4000+ vulnerabilities? That doesn’t sound good!
Let’s put it into perspective:
There are 42,565 free plugins and approximately 30,000 paid plugins. Since 2003, there have been around 150+ WordPress releases, many of which were for security reasons.
The security within WordPress is well maintained, unlike some third-party plugins or themes.
There are countless free WordPress themes, and the number of premium themes is also extensive. WordPress itself is still free!
This wide availability of themes and plugins attracts both users and hackers from all around the world.
Executing Step 2
Unfortunately, this cannot be easily fixed with just one security plugin, as such plugins may not restrict file permissions on the server level to function correctly. In this case, you need to ensure that a vulnerability cannot make server-level changes.
You can do this by removing write permissions from certain folders so that the vulnerability cannot modify them.
What does a vulnerability in a plugin or theme do, actually?
Often, it does nothing until the person who knows the vulnerability starts giving it commands. This can be achieved through browser injections or input fields (XSS).
Conclusion
It’s ultimately your choice whether you completely replace the vulnerable plugin or theme, hoping that these extra efforts and costs will increase security, or if you “freeze” the website temporarily so that it continues to work as it does now.