WordPress is an open source content management system (CMS). This means that it is maintained by a community of developers, and it can be modified and utilize freely. The core WordPress software includes key functionality required to create basic websites. Additional functionality can then be added on to the individual WordPress install, or can be added in the form of a plugin.
Plugins extend WordPress functionality and add additional options. There’s a plugin available to do just about everything, from adding secure contact forms to building membership functionality into your site.
Anyone with code development knowledge can create a WordPress plugin, and use it on their own sites, or share it with others. The official WordPress plugin repository contains plugins that have been reviewed by the WordPress team themselves. This does not necessarily mean to plug in is a high quality plugin—it just means that each plugin in the repository passes the WordPress team’s guidelines for plugin development.
Anyone can add a plug-in to the repository. This means that individual developers and developer teams are continually adding new plugins as well as updates to their existing plugins. Additionally, the WordPress Core software updates regularly as the community team continues to build and refine features, necessitating plugin developers to update their plugins to keep up.
This can, of course, lead to broken functionality or security vulnerabilities as the ecosystem of the internet continues to evolve and change.
It’s a common misconception that websites are “secure” or “insecure”. The reality is that security exists on a broad, nuanced spectrum. Further, security requirements change over time, as coders, hackers, and security professionals continue to refine their skills.
One of the best ways to prevent security vulnerabilities is to keep up with these ecosystem changes by keeping your core WordPress install, and any associated plugins, up-to-date. As new versions of WordPress and its plugins are released, continuing to update your plugins or stay on a web development agency’s website maintenance plan (see ours here) helps prevent your site from falling behind and becoming a liability.
Of course, the continually updating nature of the internet means that it is a bit of a hamster wheel for developers. Developers who have crafted plugins, including those who have added plugins to the official WordPress repository, must continue to keep those plugins updated and maintained as things change. In many cases, developers simply run out of time to maintain the plugin, and the plugin becomes what’s known as “abandoned”.
Officially, WordPress qualifies a plugin as “abandoned” if it has not received any updates within the last two years. This is a long time in the grand scheme of the internet, which is why this is considered a significant vulnerability.
Security company Sucuri’s research shows that the most common way for hackers to gain unauthorized access to a WordPress site is by exploiting vulnerabilities in out-of-date plugins.
The significance of an abandoned plugin can range in severity. Some may be perfectly functional and secure, without code that requires any changes. Other plugins can require significant updates, resulting in serious vulnerabilities and even broken functionality.
Reviewing a plugin’s full code is a tremendous undertaking. As a result, it’s usually best to find an alternative substitute for the abandoned plugin, or just remove the plugin altogether.
Reach out to us if you need help with an abandoned plugin on your WordPress site.