On the 20th November 2108, That Tech Guy was advised that the Yoast plugin, version 9.1 had an Authenticated Race Condition which could lead to command execution, by site users with Manager roles.
With today’s coding moving at such a fast pace, It’s becoming a very time-consuming task for business owners staying up to date with the constant WordPress plugin updates. A lot of business owners are turning to VA’s or low-cost solutions to manage their online business assets but this it can be a risky decision for most.
What are WordPress plugins
If we think of WordPress like lego block where we have a board to stick the blocks to (this is WordPress), it’s the foundation to what we are going to build on. We then add plugins to the foundations to build up a set of blocks that do different functions in WordPress.
An excellent example of this might be a subscription form, for that we need to use a form plugin. It then sits in WordPress and with other plugins to make up all the blocks (functions) you need on your WordPress website.
Customising plugins – the right way or the wrong way.
Where things can begin to go wrong with VA’s or low-cost solutions When someone makes some changes to a core piece of code in a plugin if best practice is not followed, you can end up with the following scenario.
A website owner asks a VA or developer to make some changes to a form on their website; they would like new functionality added to the form. Instead of using the plugin settings or a child theme function file and adding hooks, they open up the plugin files and make edits directly to the file.
The issue with this is when a plugin is updated all those changes are lost. The more pressing issue that I see daily is the site owner is not sure if the changes have been done the right way or the wrong way. Therefore they don’t update the plugin for fear of it breaking their website.
When a security issue comes up in a plugin like Yoast that sits in the background and at the bottom of the plugins list, it often gets overlooked, or it’s decided that the risk of it breaking something, the update is ignored.
Then your website gets hacked
When a plugin has a security issue no matter how small your site becomes a target to bots crawling the internet looking for the plugin and the version that has the security issue. In this case Yoast 9.1.
If the security issue is not patched fast, by updating the plugin before the POC (proof of concept) is released, normally a week or so later. Then your site may be hacked shortly after that. The POC shows hackers how to use the exploit to hack or compromise your site.
At That Tech Guy, we manage many WordPress sites, and we ensure that no plugin is ever customised unless it’s by following best practice and always making sure that updates can be done without hesitation.
That Tech Guy has WordPress management systems in place
That continuously monitor all our client sites for security issues in real time. While also maintaining a rigorous daily backup policy. Our system detected the vulnerability in the Yoast plugin, advised our team immediately, then performed a safe update on the sites affected.
These customers sites were then rescanned and backed up to ensure that their online business assets were secure and their customer data is safe at all times.
If you would like to talk about how That Tech Guy can help you manage your sites updates, plugins and security, please book a call today by clicking here.