I’ve made no secret of the fact that I wait for around 4 days before I update plugins on my site. The reason is simple – I want to avoid any bugs that come with new updates. So for me, 4 days is the minimum time I wait since the last change. You won’t believe how many WordPress plugins have buggy updates and then push out fixes over and over – sometimes within a few hours of each other. A few times, the bugfixes themselves introduced bugs!
However, sometimes you need to make an exception to the rule. There’s an equally serious matter to consider – malware. And it comes in two ways.
1. Plugin Vulnerabilities are Discovered – Update Immediately!
Lately, there have been quite a few high-profile vulnerabilities discovered on popular WordPress plugins. One of these was Ninja Forms – a plugin I have recommended myself here on NameHero, and one that I use on my own site, WP-Tweaks. With over a million users, Wordfence discovered 4 severe vulnerabilities, allowing attackers to redirect users to unauthorized sites. The vulnerability was quickly patched.
And this is where reading the patch notes comes into play. If you see that a plugin is urgently fixing a vulnerability, you should update immediately, and not wait. The slight risk that the patch itself will break something is outweighed by the risk of your site being compromised.
Sometimes the patch notes will be a bit coy about the reasons and won’t communicate it with the urgency it deserves. For example, here are the patch notes from Ninja Forms when they fixed their plugin:
At least they had a section labeled “Security” under which they placed the important patch notes! Many other plugins won’t be so conscientious. Still, I wish they would have reworded it to reflect the urgency of the patch.
Another vulnerability was discovered in the popular NextGen Gallery plugin, allowing for a complete site takeover. With over 800,000 users, it was quite a high-profile hack that was patched impressively fast. And this is yet another case where it was important to update the plugins as soon as possible.
But this runs smack into another related issue.
2. Malware Deliberately Introduced by the Plugin’s Author
A distressing trend is apparent these days with previously legit plugins becoming vectors for malware. The process goes something like this:
- An open-source plugin is used and widely trusted by the public
- The author sells the plugin to a 3rd party
- The 3rd party pushes out a compromised update on purpose
This can be very dangerous. WordPress plugins are open-source for the most part. But even so, it’s easy to slip in malicious code that can take a long time to detect and correct. A non-WordPress-related example, is the popular NanoAdblocker and NanoDefender Chrome extension which started exhibiting suspicious activity in late 2020. The developer jspenguin sold the software to a 3rd party who introduced malicious code into the Google Chrome store.
This kind of attack is scary because it’s introduced precisely by people who have shown themselves to be trustworthy in the past. People will have no idea if the software they use has been sold, and are therefore completely vulnerable.
You Have to Monitor the News
Unfortunately, there’s no easy way around the second kind of attack. As a site owner, you simply have to keep up-to-date with the latest developments on your software. Google News does a good job of learning from my interests and surfacing potentially useful stories, which is why I knew about the examples above. But it’s not “set it and forget it”. You need to be actively engaged with the news about your software stack so that you’re not caught napping.
It’s a scary thing to have so much responsibility. But I see no way of evading it.
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!