Recently, Next Gen Gallery, a popular WordPress photo gallery plugin, was discovered to have a security issue. Graham Cluley addressed it over on Tripwire.com and makes it clear why it is important to keep WordPress plugins updated.
“…many sites may not recognise just how important it is to update to NextGEN Gallery 2.1.79. After all, the plugin’s own changelog makes no reference to a critical security vulnerability being fixed.”
We at RED use various methods for staying up to date and aware of plugin vulnerabilities. We let our clients know if their site is at risk from one of these issues. For our clients who have opted for security packages, we simply make the update as soon as we’re made aware of the vulnerability, and for their sites, we keep WordPress plugins updated regularly. But for those clients who prefer we not update anything until there is such a security warning, this should serve as a cautionary tale… you may not always know there is a security issue.
In Cluley’s article’s comments, the plugin developers defended their decision this way:
“2) On the changelog, our goal was to get as many users as possible updated before bringing attention to the vulnerability.
“Any of us who support hugely popular WordPress components get very familiar with our users’ update patterns. The important point here is that announcing a vulnerability does NOT affect the pace at which WP plugin users update. What drives updates is simply the appearance of an available update in the dashboard.
“To put numbers on this: For any update we push, we get about 100K updates in the first week. If we were to fully announce a security vulnerability – put it in the changelog, post about it, share on social, that number would hardly change. Most WP users simply do not pay attention to changelogs or to blog posts from plugin makers. Those who do are generally the kind of who update quickly anyways.
“So our approach allowed us to get the huge, natural surge of updates done prior to announcing the vulnerability. As a result, we had about 100K people updated before this vulnerability was announced.”
We won’t argue with their stance insofar as it’s a recognized fact that once the security risk has been announced, hackers will begin attempting to find sites with an exploitable hole. Nonetheless, we think that once the vulnerability has been publicized and a fix found and made available, it makes sense to make sure users are aware that older versions are vulnerable.
At any rate, this does points out this important fact:Not all security issues are noted in changelogs. Keep your WordPress plugins updated. Click To Tweet
You might be fixing a security hole even though it isn’t mentioned explicitly.