Welcome to the Patchstack Weekly Security Update, Episode 60! This update is for week 8 of 2023.
This week’s news is about static sites and security. Did you know with the right plugin WordPress can be used to generate HTML? If you have a non-interactive website, you could benefit from using static sites to practically guarantee security.
This week’s vulnerability roundup will list over a dozen WordPress plugins that have unpatched security bugs in them. Most of these were reported through the Patchstack Alliance. While it is unfortunate the plugins were removed from the WordPress.org repository, it is a good thing that site owners will not be able to easily install these unsupported, possibly abandoned plugins on their WordPress websites.
The benefits of a static WordPress site
Did you know WordPress can be used to generate static HTML? Well, with the right plugin it can.
Converting to a static site may be an ideal way to manage some websites. Some examples would be brochure websites that direct the visitor to a brick-and-mortar store (with no online sales) or public journals or blogs would also be highly appropriate (as long as comments are disabled.)
A static website differs from a normal WordPress installation because it requires two separate components:
- A WordPress installation to generate static HTML files. You will want this installation only accessible by the site owner.
- A basic hosting account for the HTML files. This will be the site you point your DNS to, and people would visit.
This separation of HTML generation and hosting provides a lot of benefits (and a few drawbacks) which I will share with you now.
Static is the ultimate cache
If you believe caching plugins gives a performance boost. You can think of static sites as the ultimate cache. With static sites, you use the WordPress backend to add new or modify posts, content or even the design of the website. When you’re done with your changes, you export and upload the site’s files to your hosting provider (just like we did back in the 90s!) Once you do the changes are live and your site will be faster than any caching plugin could offer.
Static is secure
Using a static website removes almost all possible security threats. Think about it. What can get hacked? There is no database, it is just HTML files. There is no wp-login.php for bots to brute force either.
There are a few attacks I can think of, such as DOM-based or reflected XSS or your sFTP password could get compromised. But these threats affect dynamic WordPress websites just the same.
Never worry about updates
Since there is virtually no risk of vulnerabilities, you can rest easy. You will still have to update the WordPress installation you use to generate the static HTML from time to time, but this installation should only be accessible to the site owner. Allowing you to have a leisurely pace when it comes time to update.
The drawback – limited features
The biggest drawback of static sites is that the site will not be interactive. This means no contact forms, no e-commerce, no newsletters, no comments, etc… at least not directly managed by the website itself.
There are ways to make these features work in static websites, by using JAMstack design methods or headless WordPress. But that is a talk for another Patchstack weekly.
This drawback of limited features could be made up for not only by improved security and performance but also by reduced hosting fees. It is probably the first time I will get to say this, but it is …
The less expensive option is more secure.
Sites that can switch to static files instead of dynamically generated content can save a ton on hosting fees. There are multiple extremely affordable options (I’m talking the cost of a coffee or less per month) and even free options offered by GitHub, Google, CloudFlare, and more.
Static files may not be a right fit for every website but if you can go static, I recommend you do. Your site will be more secure, more performant, and cost less!
For dynamic web applications though, static files are not an option. This is why it is important dynamic web applications have robust security programs that include things like a security.txt file, preventative WordPress security, and vPatching.
The Patchstack Database added over 80 new vulnerability records in the last week, of which 80% received a timely patch from their respective developers. Unfortunately, that also means 16 of those 80 did not receive a patch. That is one in five, and should emphasize the importance of choosing actively developed plugins and supporting your plugin developers. Without your support, these open source projects will not thrive.
Here is the list of possibly abandoned plugins that have unpatched security bugs disclosed in the last week.
- fontiran – Broken Access Controls
- wp-post-comment-rating – Unauthenticated Vote Manipulation
- olevmedia-shortcodes – Authenticated XSS
- eyes-only-user-access-shortcode – Authenticated XSS
- tapfiliate – Authenticated XSS
- facebook-like-send-button – Authenticated XSS
- service-area-postcode-checker – Authenticated XSS
- upload-file-type-settings-plugin – Authenticated XSS
- download-info-page – Authenticated XSS
- sticky-ad-bar – Authenticated XSS
- open-social – Authenticated XSS
- vslider – Authenticated XSS
- ultimate-wp-query-search-filter – Authenticated XSS
- feed-changer- Authenticated XSS
- nooz – Authenticated XSS
- wp-baidu-submit – Authenticated XSS
Thanks and appreciation
This week’s thanks goes out to the hard working security researchers behind the Patchstack Alliance. Without your efforts identifying, verifying, and reporting these security bugs then they would never be getting addressed. And more insecure projects would continue to be distributed to unsuspecting websites.
A special thank you goes out to the people putting the hard work in behind the WordPress plugin repository. The extraordinary effort of wrangling over 50,000 plugins is not missed by me. Keep up the good work behind the scenes that keeps that repository running smoothly and safely.
I will be back next week with more security tips, tricks, opinions, and news on the Patchstack Weekly Security Update!