No More Worrying About Plugins

I like to read Hackaday’s weekly security posts to get a quick summary of the latest security issues. Last week’s post had the following Wordpress section:

István Márton at Wordfence has the story on a pair of WordPress plugins with severe vulnerabilities, effecting a whopping 500,000 sites combined. Up first is AI Engine, with 100,000 installs. This plugin has an unauthenticated URL endpoint that can expose a bearer token, which then allows access to the MCP endpoint, and arbitrary control of users. The good news here is that the plugin is not vulnerable by default, and requires the “No-Auth URL” setting to be configured to be vulnerable.

The other plugin is Post SMTP, with 400,000 installs. It replaces WordPress’s PHP email handling, and one of the features is the ability to view those emails from the logs. The problem was that before 3.6.1, viewing those email logs didn’t require any permissions. At first blush, that may seem like a medium severity problem, but WordPress is often configured to allow for password resets via emailed links, which means instant account takeover. Both issues have been fixed, and releases are available.

If you have been reading here long enough, you know that a little over a year ago I moved this site from Wordpress to Hugo. When I read summaries like that, it makes me so glad I’m not on Wordpress anymore. I think a heavy CMS like Wordpress makes sense for certain creators. Maybe they are running e-commerce or maybe they are a photographer with a need to combine their blog and their images. But for someone like me who just makes simple blog posts, running a site dependent on plugins that seem to always have issues is just creating security issues for no reason. I’m sure there are some issues associated with any site. But by not running PHP, a database, or any plugins I’m dramatically reducing the attack surface. I think, at this point, the biggest risk is someone compromising Hugo such that the build process introduces some kind of security flaw. But when its’ all compiled and I’m just serving static HTML files, I really do have a much safer website and I don’t need to have the headaches and worries that come with running Wordpress.

• Wordpress
• Security