Checking When a WordPress Plugin Was Last Updated Is Not a Vulnerability Analysis
When it comes to the security of WordPress plugins there is a lot of bad information out there, one example we have run across several times recently (and have run across plenty of times in the past as well) is people blaming plugins for being the source of their website without any legitimate evidence to back that up.
In one recent instance someone left a review of a plugin claiming that “I am almost 99% sure it was due to this plugin”. So did they have log files showing how the plugin had been exploited or any explanation as to how it could have occurred? No, instead it was based on “that my website was hacked a few hours later after installing this plugin”. Beyond the fact that correlation isn’t causation and that people often don’t discoverer that a website is hacked until long after the original breach, the only ways we can think of a vulnerability being exploited that fast would be if the plugin was intentionally malicious or if there was a large continuous hacking campaign against a vulnerability. We haven’t seen any indication of hackers targeting this plugin, so it seems unlikely the plugin was the source of the hack.
Another portion of the review didn’t exactly point to the person making the claim seem to be reliable source of security related judgements (emphasis ours):
I do not know if this is due to the way this plugin works or if its because it has a vulnerability or it its becuase it has not been updated in 5 months, but my website was hacked.
A plugin not being updated in five months doesn’t in any way make it vulnerable, either it had a vulnerability five months ago or didn’t. Unless an update to the plugin fixes a vulnerability, it being recently updated also wouldn’t change that fact.
Along those same lines we recently received an email from a web hosting company promoting a WordPress security service. In looking over the service’s website we ran across one of the feature of their service:
VULNERABILITY ANALYSIS
Our system check all the themes and plugins on your WordPress site to see how well they are maintained and supported by their author. If we find any plugin or theme that has been abandoned by the author and is no longer receiving updates or patches we will advise you with a more current solution.
While we would recommend using plugins that are being supported, checking its update status is not a vulnerability analysis. The company didn’t provide any evidence that doing this would actually make you more secure and in our monitoring of plugin vulnerabilities it still is an open question as to whether using plugins being regularly updated makes you more secure.
On the positive side plugins that are being regularly updated are more likely to be fixed and fixed quickly if there is a vulnerability, but that isn’t guaranteed. We have also seen plugins that haven’t been updated in a long quickly fixed after we notified the developer of an issue, including one instance in August where a plugin that hadn’t been updated in seven years was updated the same day we notified the developer of the vulnerability.
The flip side is that every update to a plugin has the possibility to introduce a vulnerability, so frequently updated plugins might be less secure, which could nullify the advantage of them being more likely to be fixed and fixed quickly if a vulnerability was discovered. For example, a widely exploited (and widely covered) vulnerability in the WP Mobile Detected plugin earlier this year only existed in one version of the plugin. The update occurred four months before the exploitation happened, so the plugin likely would have passed that company’s “vulnerability analysis”.
Long story short, this happens because people don’t really know what a hack is, how it happens, or how they’re supposed to prevent it. Many, many people install WordPress through some 1-Click-installer their host made available to them, and they don’t really have the skills to run a web site.
It’s human nature to blame things you don’t understand on others, and comments like this is the result. Imagine the support tickets received by various hosting providers! 😉