Three major WordPress plugins have recently been subject to a SQL injection attack, leaving over 150,000 users at risk of being exploited by malicious actors.
Fortunately, the vulnerable plugins have since been patched, helping to protect businesses that depend on their services.
Aside from updating your software, we outline some simple ways WordPress users can remain safe when using the tool.
Also, considering WordPress’s chequered history, and the variety of other competitive website builders available, we also discuss whether it’s worth sticking with the solution at all.
Critical SQL WordPress Vulnerability Has Been Patched
According to a proof of concept (PoC) released by a security researcher at BleepingComputer, three popular WordPress logins have been attacked by SQL injections, a type of security flaw that allows hackers to modify, delete or inject malicious scripts into a site.
The plugins, Paid Membership Pro, Easy Digital Downloads, and Survey Marker, which boast 100,000, 50,000, and 3,000 installations respectively, were compromised in December 2022, but have thankfully since been patched by their authors.
Now these flaws have been addressed, businesses using the plugins should successfully be safeguarded. However, to guarantee an extra layer of protection, we would recommend running a software update on WordPress to make sure this patch is currently installed.
WordPress: a Popular Target for Cybercriminals?
While this issue was resolved relatively quickly, this isn’t WordPress’s only security blunder of late.
Earlier this month, the U.S. government’s National Vulnerability Database warned users of a vulnerability located in ‘Popup Maker’, a WordPress plugin that boasts over 700,000 installations.
A new type of Linux malware has recently been detected on the website builder too, with security researchers suspecting that the virus has been active on the site for as long as three years.
WordPress’s vulnerabilities also have a habit of being fairly severe, with 8 out of 10 risks falling into the “medium” or “high” risk tier, according to the Common Vunerability Scoring System (see graph below).
WordPress Vulnerability Score. Source: Common Vulnerability Scoring System
But why does WordPress seem to be more vulnerable to third-party attacks? Well, compared to most other websites, WordPress is written with open-source code. This makes security vulnerabilities easier to view, access and exploit.
WordPress is one of the most popular content management systems on the market too, making it an even more attractive target for hackers.
How to Stay Safe using WordPress
Despite the applications flaws, there are a number of steps users can follow to evade threats.
- Keep WordPress updated – Failing to update the builder routinely could leave you defenceless against a number of hazards. including to the SQL vulnerability that compromised popular plugins.
- Secure your password – Using strong passwords is one of the most effective ways to defend your servers against viruses. Don’t like remembering long and clunky codes? Password managers are your best friend.
- Install security plugins – Not all plugins carry risks. By downloading effective security plugins like Defender and Wordfence Security, the hard work can be done for you.
- Install antivirus software – If you’re looking to take your cybersecurity one step further, antivirus software is an effective way to protect personal and business systems
Should WordPress Look Elsewhere?
Due to the WordPress’s powerful media management features and block-based editor, our research suggests tool is the number one option for bloggers and publishing sites.
However, WordPress is far from the best website builder we’ve reviewed — that accolade goes to Wix. What’s more, the builders security issues are hard to overlook, and we would recommend using a site with free SSL security, like Weebly.
Still undecided? Read our review of the best website builders to find out which solutions will be able to meet your needs the most.
