WordPress site owners are still reminded to keep WordPress Core and add-ons (themes and plugins) up to date. Addons create vulnerabilities when left unattended, which hackers may use to break into a web. But what if a flaw has been found and the plugin’s creator has yet to release an update to fix the problem? So, what do website owners like you do? The aim of this post is to address a plan for keeping the site secure before the developers release an update.
W3 Total Cache, a common caching plugin, was found to have a cross-site scripting vulnerability in 2016, according to a security blog. W3 Total Cache was one of the most common caching plugins, with over 1 million active instals, and was used by pearsonified.com, mashable.com, and even AT&T’s corporate website. This wasn’t the first time the W3 Total Cache plugin had a security flaw. In fact, Total Cache had a number of vulnerabilities in the past, some of which were even exploited.
There were reports going around at the time of the report about support problems, where users had been trying to connect with the developers for months on end with no progress. The plugin had not been modified in over 7 months, according to one dissatisfied user who commented on a Facebook forum. Concerns about the possible impact of a cross-site scripting vulnerability on websites using W3 Total Cache are understandable at this stage.
W3 Complete Cache published an update almost a week after the vulnerability was made public, patching exploitable loopholes. In addition, they added new features to the product. However, several website owners claimed that the patch broke their sites shortly after it was published. It is not unusual for new updates to destroy websites, which is why it is recommended that you use a staging area. It allows you to test updates on a staging site before committing them to the live site. If the staging site breaks as a result of the update, you can contact the plugin developers without affecting the live site. Although the developers of W3 Total Cache took some time to release a patch, the situation did not turn into a total disaster.
What to Do When Developers Don’t Update Plugin?
WordPress is the most common website-building platform on the planet, and one of the main reasons for this is the availability of plugins, which enable users to easily customise their sites and add features. Many WordPress plugins are created as a side project by developers. When a vulnerability is found, it takes a considerable amount of time and effort to not only locate the issue, but also to create a fix. They may not be able to respond to the plugin vulnerability right away because they have a daily job to attend to. It is not a priority to work on a side project. As a result, the patch’s release is delayed.
WordPress is a global internet culture, and news about any flaw discovered in the core or any of its add-ons (themes and plugins) spreads rapidly. This means that hackers on the lookout for compromised websites will conduct major hacking attacks on them within hours. As a consequence, if a plugin vulnerability is discovered but the developers have yet to release an update, it’s vital to take steps to secure your site. When you’re in a situation like this, here’s what you can do:
- Disable the plugin before the developers release a patch to address the vulnerability.
- Whether it isn’t a premium plugin or a premium version of a plugin, go to the wordpress.org support forum and file a complaint. Hopefully, enough complaints would cause the developers to issue a fix as soon as possible.
- Following the discovery of a vulnerability, it normally takes more than 48 hours for an update to be released.
- If it takes longer, contact the developers and let them know about the problem. Cite your source, or the source from which you learned of the weakness. There must be a ‘contact us’ tab or an email address somewhere on the plugin’s official website. Send them an email.
- In the meantime, you can use an alternate plugin to keep your site up and running. When a plugin stops running, it’s always a good idea to have a backup plan in place.
As previously mentioned, many of the plugins in the WordPress plugin repository are created as a hobby or side project. This means that a developer working on a free product can stop working on it at any time. As a result, many security experts only suggest using premium plugins developed by well-known and respected community developers. Developers who aren’t paying for the plugins or themes they make are more likely to devote less time to developing or maintaining them. They may have a full-time job that keeps them busy and covers their bills, making it unnecessary to spend time in a product that does not have a monetary gain.
Vulnerabilities will appear in WordPress plugins, whether they are created by a professional or a novice. If you continue to use the defunct theme/plugin, there will be no maintenance and, as a result, no updates. When an error happens, you can contact the plugin’s developers, but because the plugin’s team of developers has abandoned it, you won’t get any aid. This puts you, the consumer, in a bind because moving to a different plugin or theme necessitates reinvesting time and effort, but it is the only viable choice. Good website security practises encourage users to follow a few guidelines when selecting a plugin. We’ve compiled a list of them below:
- Choose a plugin created by a well-known developer to avoid being stuck with a plugin that has been abandoned by its maker.
- Make sure the plugin is modified on a regular basis, as this indicates that the developers are addressing any bugs that hackers may have exploited to gain access to your web. Check the WordPress archive for the most recent version.
Instead of using a free plugin, invest in a premium one. If a plugin has a free version, check it out and see if it suits your needs, but we recommend upgrading to the paid version. As we previously mentioned, free plugins may be abandoned, or critical changes may take too long to roll out.
We hope that this article will assist you in deciding what to do if a developer fails to update his plugin. Thank you for taking the time to read this, and if you have any questions, please contact us.