Recent news has covered information exposed by the “Panama Papers Breach“, which resulted in a huge leak of millions of emails containing financially-sensitive information. Hit hardest were world leaders and powerful people who were exposed hiding large sums of money off shore. The breach caused created a number of sticky controversies around world leaders, and is sited as the reason for the Prime Minister of Iceland’s sudden resignation.
But what does this have to do with me and my WordPress site?
A number of agencies and techies alike started to investigate about how one of the largest leaks of sensitive data occurred. WordFence.com recently posted an article detailing how the hackers most likely accessed sensitive servers through a public WordPress site with non-updated plugins, more specifically due to Slider Revolution running on an old version.
“What!?!” you say, “I have Slider Revolution running on my site. Am I safe?”
Keep in mind that the hackers exploited a vulnerability specifically on this high target site. The key takeaway from this is that it is crucial for you to keep all of your WordPress themes and plugins updated to the most recent versions at all times. Vulnerabilities can be found in even premium and well supported plugins, such as Revolution Slider. Best to keep all back doors shut.
How could this happen to a large company?
This could be a case of “it happens to the best of us”. Many people and companies believe that once the website is built, then they are done fiddling with it.
While WordPress is powerful allowing you to easily update your site, add features or new functionality, and comes with quality SEO structures; it is important to understand how it differs from a cluster of static HTML pages. It is connected to a database and uses PHP to dynamically render pages based on the functionality included in the theme and plugins you have chosen to install on the site. These are much more complex than an HTML page and some images. Instead, you are installing a number of mini programs to run your site.
Therefore, there are frequent updates by theme and plugin developers to keep everything working well. At least, by developers who are actively maintaining their WordPress themes and plugins. And then you need to be proactive in applying those updates as they roll out.
Easier said than done sometimes. Updates need to be monitored, applied – sometimes requiring additional technical knowledge, and tested as they can lead to plugin conflicts and new problems. This needs to be done with someone with good WordPress knowledge and a solid understanding of versioning and testing processes.
Should I avoid the Slider Revolution plugin?
Not so. Slider Revolution is a quality premium plugin that packs a punch with a number of technically forward features, plus they support their product. I have used it on a number of websites and have been impressed by ThemePunch‘s responses and support team. Again, keep your themes and plugins updated frequently. Don’t wait until the end of the month or once a quarter to do this. That’s the takeaway.
Sneaky Issue – Bundled Plugins
A part of the issue is that Slider Revolution, as well as a number of popular premium plugins, are often packaged with themes you can purchase on ThemeForest.com. While you can get a number of quality and well supported themes on that marketplace, the quality of the developers can vary. It is then up to the theme developers to roll out new versions of plugins bundled with their theme, and not all of them do so in a timely manner.
Another issue to note when you purchase a theme on ThemeForest.com is that they it foregoes the version control within WordPress. So often, a new version alert will not appear in your WordPress dashboard as it does with other theme and plugins. Instead, you have to rely on update emails from ThemeForest.com, then download and manually install the updates yourself.
An alternative is to use Envato Toolkit to be able to see that there are new theme versions and then auto update from there, but you have to proactively go into Evnato Toolkit to check for new versions. There is not an alert displayed on the WordPress dashboard. Plus, the auto update feature within Envato Toolkit typically only updates main theme files, and often does not include updates to bundled plugins. Instead, you have to login to ThemeForest, download all of the theme files, locate the updated plugin zip files, and manually update the plugin yourself. Because these updates are outside of the WordPress update functionality and manually performed, it often results in the loss of data and requires additional steps to recover.