Today an interesting article landed in my inbox, from Wordfence.
“WordPress Supply Chain Attacks: An Emerging Threat”
As you might know, we highly recommend the use of website security plugins, such as WordFence, and we take onboard their opinions and recommendations.
I found their article important and all website owners and developers should take note.
This is an excerpt of the article:
“In the last few months, we have discovered a number of supply chain attacks targeting WordPress plugins. In this post, we explain what a supply chain attack is, why WordPress is an attractive target for them, and what you can do to protect your site.
What Is a Supply Chain Attack?
In the software industry, a supply chain attack exploits a trusted relationship between software vendors or authors and their customers. For WordPress, that means figuring out how to embed malware into software updates. In one case, we saw an existing plugin author install malware on customer sites in an effort to monetize an existing plugin. In every other case we have uncovered, the attack was carried out by someone who had purchased the plugin with the express intention of attacking its users.”
WordFence then goes on to explain recent WordPress supply chain attacks that they have discovered, and the reasons that they feel WordPress is an attractive target. I agree with all points they make, and in particular, point 2 (Scan your site for malware regularly. ) and point 5 (Consider removing or replacing abandoned plugins.)
When working for the first time on established WordPress websites, I go through the plugins. Often I find ones that are outdated, in legacy and no longer supported. I let my clients know that I recommend the removal of such plugins and I seek out new, comparable plugins for them, that add similar functionality.
Back to point 2, this is why I offer a monthly maintenance service at a reasonable price. As part of this service, I keep an eye on your site, themes and plugins, on a daily basis, and keep your site up to date. I manually scan your site each day for potential threats, as well as use plugins such as WordFence.
You can read the full article from WordFence here.