Last updated on November 9th, 2020 at 09:42 pm
The WP File Manager vulnerability shows why certain functions that are typically only available through server access should remain that way.
This post contains affiliate links. We may earn a commission if you purchase an item through our links. It costs you nothing and helps us to fund this blog. Please see our Affiliate Disclosure & Notification for details.
Vulnerabilities are nothing new in the open-source world of WordPress, but this one really hits hard. Originally reported by the Wordfence Threat Intelligence team on September 1, the WP File Manager vulnerability reminded even the most security-conscious WordPress users that there are risks even when you keep all your plugins & themes up to date.
A Perfect 10 on the CVSS
It’s not very common for a vulnerability to land a perfect 10 on the popular severity scale. But when it allows a totally anonymous user to upload malicious files to a website and execute them to the effect of gaining full access to the entire installation, well folks – that’s how you score a perfect 10.
Now I’m not going into the details of how the vulnerability is exploited, because the Wordfence Threat Intelligence team has already done a great job of explaining all that in this blog post. The good news is that the vulnerability has been patched so if you’re running the latest version of WP File Manager, then you’re safe – unless your site was already compromised.
It Should Never Have Happened
Like most vulnerabilities, this one was fully avoidable. It’s obvious the plugin developer could have coded the plugin so the vulnerability never existed in the first place, but more importantly – WordPress users shouldn’t have been using it.
The WordPress ecosystem has given us thousands and thousands of amazing plugins that extend the functionality of WordPress far beyond what the core is capable of. But when choosing which plugins to use, many site owners don’t do a deep dive into whether the added functionality is truly necessary for the site to run or how that plugin might affect the attack surface of their website.
Here’s how I classify plugins that I use (or don’t use) on my sites.
Security plugins are those which are designed to increase the security of your website. Obvious security plugins include scanners such as Wordfence or Sucuri and plugins that help protect your login pages from brute force attempts or add 2FA.
Less obvious plugins in this category would be those that make backups of your site like UpdraftPlus or WPVivid and logging mechanisms such as WP Activity Log. While these don’t inherently increase the security posture of your site, they provide diagnostics and recovery should something happen.
I use security plugins on my sites, with Wordfence being my go-to hardening tool at the WordPress level. While there is some debate about whether these types of plugins are necessary, I subscribe to the idea that security comes in layers and this is just one of them. I use Wordfence because it’s one of the only plugins that comes with a firewall that, when configured correctly, checks all PHP requests to your site before WordPress processes it.
Design plugins affect the layout and design of your site and make changes that are visible to the user on the front-end. Obvious plugins that fall into this category include Gutenberg block plugins and page builders such as Elementor & Oxygen or their add-ons.
Aside from page builders, I would also include other plugins such as premium theme add-ons like Astra Pro. Plugins that facilitate design changes through adding custom fields or post types would count too.
Using design plugins is almost a requirement unless you’re using vanilla WordPress or know how to custom-code.
These plugins may not necessarily affect the layout or design of your site, but they add some functionality to it that you need or desire. A big plugin in this category would be WooCommerce which adds an entire eCommerce platform to your site. Contact form plugins, social sharing plugins, & SEO plugins would also fall into this category.
You can use these types of plugins on an as-needed basis.
These plugins make the upkeep of your site easier. If you use a service like ManageWP or MainWP to manage multiple sites or send reports to your clients, these would fall into this category. I would also include diagnostic tools like the Health & Troubleshooting plugin to this category as well.
Management plugins are useful for web agencies and those who happen to run a large number of websites.
Convenience plugins make certain administrative tasks easier on your site but have zero effect on the front-end visitor experience. I’d include anything in this category that replaces what would normally be a server-side function.
The WP File Manager plugin that has caused so much of a problem for almost a million sites is a perfect example of just such a plugin. It allows direct file editing of files on your server through the WordPress dashboard.
I avoid using convenience plugins on all my sites. There are certain functions that don’t exist in the WordPress core for a reason. For example, allowing users to upload files or modify files through the WordPress dashboard essentially bypasses the server’s own security mechanisms and is a recipe for trouble.
If you’re a site admin and you find the need for one of these plugins, it’s best to install it while you need it and then remove it immediately afterwards.
Plugins that are still in the WordPress repository, but are no longer supported by the author/developer are abandoned. It can be hard to determine whether this is the case because WordPress doesn’t automatically remove unsupported plugins from the repository.
My rule of thumb is if a plugin hasn’t had an update in the past year, especially if that year included significant WordPress core updates, it’s likely abandoned by the developer.
You should never use abandoned plugins, even if you can’t find the feature you’re looking for elsewhere. It’s best to simply leave that feature out until a suitable supported replacement is available.
If you’ve read this far, you probably already thought of a few plugins that you’d categorize in more than one of these categories – and you’re probably right. Plugins have multiple uses. Elementor Pro for example is obviously a design plugin but it also has contact forms, so it would easily fall into both the design and functional categories.
Ultimately, you want to stay away from convenience plugins and abandoned plugins. These are by far, the greatest risk to your site security. What they add simply doesn’t balance the risk of an increased attack surface. And if a plugin that you really need becomes abandoned one day, then it’s time to start looking for a replacement.