This week I will talk about the importance of removing unused code and components from your websites.
Simply disabling a theme or plugin is not enough – reviewing and deleting these things has to become a habit.
I will also cover a few vulnerability highlights, including 10 abandoned components that have known unpatched vulnerabilities in them.
That, by the way, is another reason to regularly review your plugins.
In this week’s knowledge share, I will be talking about the risk of leaving unused components on your websites. I can summarize this whole knowledge share in the following phrase:
If you’re not using it, remove it.
This is a simple concept, but often overlooked.
Remembering to remove any unused plugins and themes is boring work. It is like keeping your office or home clean and tidy.
The only difference is, in your office or kitchen, you will get a reminder if you forget to clean your trash bin out in 3 weeks, from the smell or from the rodents gathering.
Your website, on the other hand, will happily keep running with a bunch of extra, unnecessary code on it until it gets hacked.
This process, of cleaning up unused code is a part of a formal security process known as reducing an attack surface. By having less code, attackers have fewer potential targets on your website.
The most common place to look for unused code would be a website’s disabled or deactivated plugins and themes.
And when you find it, remember – if you’re not using it, remove it.
Unused plugins and themes are a threat
One extremely dangerous and widespread vulnerability associated with many WordPress themes was able to infect websites even if the insecure theme was disabled.
You may have heard of timthumb vulnerabilities (if not, Google it).
The timthumb vulnerabilities are still being exploited – even if you upload and never activate a theme with a timthumb vulnerability in it, the attackers can still compromise the website.
Don’t forget to check the site’s filesystem too. If someone installed or uploaded a one-off script like adminer.php, or left a backup file that may contain sensitive data (some examples would be a backup of wp-config.php or a database backup file).
These things should be removed when their purpose is served.
If you need to manage the database with adminer.php in the future, re-upload it just for that case, and if you are storing backups in web-accessible directories, download them and delete them from the server.
Schedule regular unused code review
Scheduling this task is important.
You need to have a reminder to check your sites for unused code.
This reminder could be connected to any time the website’s plugins are updated or new functionality is added.
You could also schedule this periodically, like once a year or quarterly if you have the time. Otherwise, it is easy to forget to do. So, set a time and put aside a few minutes (or hours depending on how many sites you need to go through) and start removing all the code you’re not using.
This may be a good time to double-check another important aspect of your site’s security, one having to do with the active plugins and themes.
You should be periodically checking to see that the components your sites are using are still being regularly updated and supported by their developers. Heck, while you’re at it, maybe you can see if they have a donation link or way to support the project and give back.
I talked about how to choose secure plugins in WordPress a few weeks ago, you can check it out to find more details.
This plugin review, will take a little longer than just, so maybe it is the sort of thing to do maybe once a year … maybe some time around the holidays.
In this week’s vulnerability news, I want to let users of the following plugins know they need to look for alternatives or remove the plugins from their sites ASAP.
Unfortunately, these plugins have been removed from their respective repositories – likely due to inaction from the developer. To make matters worse they have known and unpatched security bugs in their code.
Luckily, they are only affected by lower risk vulnerabilities such as Cross-Site Request Forgery or Authenticated Cross-Site Scripting.
The more serious concern is that these plugins may have been abandoned by their developers.
Vulnerable and abandoned plugins
- Gallery for Social Photo (feed-instagram-lite) – Cross-Site Request Forgery
- Image Slider plugin (image-slider-widget) – Cross-Site Request Forgery
- AnyMind Widget (anymind-widget) – Cross-Site Request Forgery
- FreeMind WP Browser (freemind-wp-browser) – Cross-Site Request Forgery
- Progressive License (progressive-license) – Cross-Site Request Forgery
- Allow SVG Files (asf-allow-svg-files) – Authenticated Stored Cross-Site Scripting
- Flexi Quote Rotator (flexi-quote-rotator) – Authenticated Stored Cross-Site Scripting
- Popups (popups)- Authenticated Stored Cross-Site Scripting
- Invitation Based Registrations (invitation-based-registrations) – Authenticated Stored Cross-Site Scripting
- Copyright Proof (digiproveblog) – Reflected Cross-Site-Scripting
Finally, I wanted to include a reminder that there are many plugins with great developers who have the time and commitment to address security issues.
WP Visitor Statistics vulnerability
The WP Visitor Statistics plugin developers have patched multiple SQL injection security bugs in the plugin recently- great job and you’ll be the first person I thank this week.
Thanks and appreciation
This week’s thanks goes out to the developers of the WP Visitor Statistics (Real Time Traffic) plugin – thank you for patching those unauthenticated SQL injection security bugs.
Further thanks goes out to all of the developers out there who are continuing to support their projects and their users.
Open source can sometimes seem like a thankless job, but I see you putting in the work. Thank you for your efforts.
I will be back next week with more security tips, tricks, opinions, and news on the Patchstack Weekly Security Update!