How Websites Get Hacked – Third Party Software Integration

Graphic of a hacked website

This is the third in my series ‘How do Websites Get Hacked’.

The first one dealt with theft and misuse of usernames and passwords and the second one dealt with software vulnerabilities.

In this one we will look at Third Party Integrations.

What are third party integrations?

In WordPress terms: plugins and themes.

Plugins

WordPress pluginsOne of WordPress’ greatest strengths is also one of its greatest weaknesses: The ability to implement any kind of functionality you want on your site through the use of plugins.

Plugins and addons (a term used by many other platforms) do the same thing: they are software applications that extend the functionality of platforms like WordPress, Joomla, Prestashop and Drupal.

They are developed by individual authors that follow the WordPress specifications for inter-operability, but otherwise they do whatever the authors program them to.

And the downside: more than 55% of all successful hacks of WordPress websites are done via plugins.

Themes

Screenshot of the WordPress themes page in the admin areaThemes are also developed by independent third parties and, therefore, also carry the risk (and many do) of having spam links inserted in the footer or elsewhere.

The impact of themes in WordPress hacks is generally not as severe as in plugins, because themes deal with design and layout – not deep functionality.

None-the-less, the risks are there and you need to do your due diligence on themes you’re installing as much as you do for plugins.

How third-party plugins can hack your site

There are several ways a plugin can cause your website to be hacked:

  1. The webmaster fails to keep it up to date (a vulnerability is discovered and patched by the author, but the webmaster doesn’t update to the patched version)
  2. A plugin that was once well maintained and kept up to date is abandoned by its author. A vulnerability is subsequently found but not fixed
  3. A plugin is sold to someone who intentionally corrupts it and releases the corrupted version as an update

A huge number of webmasters fail to keep the software on their websites up to date, and this is manna from heaven for hackers:

The hackers track reports of plugins that have been updated to plug a security vulnerability. They then scour the web for sites where those plugins have not been updated – and attack them.

Lots of plugins are abandoned, meaning the author no longer maintains them. Therefore, any security holes that are identified are not patched. Again, great for the hackers!

Given that there are more than 50,000 plugins in the WordPress repository (all of which are free) it’s not surprising that some are abandoned. After all, the author is not getting paid for their efforts and their circumstances can change at any time.

There are also numerous examples of the 3rd item: someone with bad intentions buying a plugin and corrupting it.

Often the original author, who has not received any income from his work, is only too happy to sell their plugin if someone makes an offer. Many times, in fact, this is why they developed a plugin in the first place.

And if the buyer has bad intentions they’re not going to reveal them to the seller..!

When the new owner corrupts the plugin and releases an update, this is automatically rolled out to all the sites on which it is running.

So when the webmasters run the update, they are loading a hacked plugin into their websites.

In this way, many thousands of websites can be hacked in a short period of time.

So how can you protect yourself?

Only install plugins (and themes) from a trusted source. And check your plugins in the WordPress repository every two or three months to make sure they’re still current and safe.

There are two aspects to choosing a plugin wisely:

  1. Install it from a trusted source
  2. Review its statistics and history carefully

Trusted sources of plugins

Basically, there are two safe sources of plugins:

  1. The WordPress repository
  2. Paid (premium) plugins

However, you still need to do your due diligence.

If a plugin is recommended to you by someone you trust that’s a good starting point. But you should still search online for reviews of the plugin you’re considering, if it is a paid plugin – because there is always a variance in the level of support provided in case of problems.

Paid plugins are generally safe because the author is being paid for their work.

Since the plugin represents an income stream for them, they are going to be serious about maintaining it and providing support where necessary, and they are unlikely to sell it.

Free plugins are a different kettle of fish.

Don’t get me wrong: there are many excellent, free plugins (and in many cases they offer a paid premium version with more functionality, which is always a good sign).

But, almost without exception, you should only get free plugins from the WordPress repository.

This is because in order to be accepted into the repository they are individually assessed, and they have to meet all the WordPress requirements.

The WordPress repository

OK, so here’s what you need to check for when you’re choosing a plugin from the repository (see the image below this list to clarify things):

  • The ‘Version’ number is the plugin version. This is not really important unless you’ve heard bad things about a particular version of the plugin you’re reviewing
  • The ‘Last updated’ date is as recent as possible. Treat with suspicion any plugin where the period stated here is a year or older
  • ‘Active installations’ should be as high as possible. I always look for at least 20,000 active installations
  • The ‘WordPress version’ is lower than the version you’re using
  • The ‘Tested up to’ version is at the current version or higher (as is the case in the image below)
  • The ‘Ratings’ are as high as possible and with the best possible profile (as in the image below)
  • The ‘Support’ section shows a high proportion of support requests as resolved in the last 3 months (the example below is not good, but the number is very low so that reduces the negative impact)

Here’s what that screen looks like:

Screenshot of WordPress plugin statistics

The (very rare) exceptions

Sometimes a company with which you’re already doing business has developed a plugin that integrates their service with WordPress. Examples are Ecwid and Siteground.

In these cases, it is safe to install their free plugins, because the company has a clear incentive to keep the plugin safe and up to date.

In closing…

So the message clearly is:

To mitigate the risk of third party integrations hacking your website, only install plugins and themes from trusted sources and check them in the WordPress repository every two or three months.

P.S. Is your WordPress website as secure as it could be? These are the security products I use on my own sites, and sites I build for clients, to keep them safe and to recover from a hack:

Cheers,

Martin Malden

Martin Malden
Owner – WP Security Basics

{ 2 comments… add one }
  • Matt Lin May 30, 2020, 7:14 pm

    Hi Martin,

    It seems that it’s easy to hack into our WordPress websites if we don’t update our plugins and themes regularly. Like I previously mentioned in your last post, I didn’t update my plugins and themes until I read your article. Since then, if I see notifications of updates, I complete all updates immediately.

    I also use your checklist to examine the new plugins I want to install on my website, and I hope it works well to avoid security vulnerabilities. How many indicators of the checklist should plugins meet to be considered as safe? The more the better?

    Cheers,
    Matt

    Reply
    • Martin May 31, 2020, 1:35 pm

      Hi Matt,

      Yes, absolutely: the more of those criteria that a plugin you’re thinking of installing meets the better!

      Security is about a mindset, as much as anything, and so taking care to think of potential vulnerabilities, and ways to mitigate them, will always pay off.

      Always remember, though, that no website can ever be 100% secure, so you must have a recovery plan ready to put into action when your site is hacked – think ‘when your site is hacked’, not ‘if it’s hacked’, and plan accordingly.

      Cheers,

      Martin.

      Reply

Leave a Comment