WordPress Plugin – WPCentral Major Vulnerability
We’ve just heard news of a major security vulnerability in a popular WordPress Plugin called wpCentral. This plugin allows owners of multiple WordPress plugins to manage all of their websites through a single control panel. This is partly what makes this plugin vulnerability such a serious and potentially dangerous security issue.
The vulnerability that was discovered is an escalation privilege security threat, which can allow any user, including users who only have “subscriber” level access, to gain admin access to the websites that the plugin is installed on. It also allows for remote control of websites via the control panel of wpCentral.
This plugin is popular with website administrators, including some web developers that manage several or more websites. However it is not something that we ever felt safe using, at The Ian Scott Group, exactly for the reason that if a vulnerability existed, it would put multiple websites at risk. Our philosophy with regard to plugins is to use as few as possible and certainly not to manage all websites under “one roof,” so to speak. Individual websites all have their own unique admin login credentials, which we believe is the most secure and correct method of managing clients’ websites.
Our recommendation to anyone using the wpCentral plugin is to update IMMEDIATELY to the latest version, which has been patched and no longer contains the vulnerability. If your website is managed by someone else, it would be a good idea to ask your website maintenance company about their use of wpCentral and obtain assurances from them that they do not use this plugin for managing multiple websites, or if they do, that they have applied the update.
If you’re concerned about the security of your website, we’d invite you to contact us today. Our experience in security goes back to 1997, with Linux server administration and security and has evolved to include WordPress security, hardening, monitoring, and recovery after websites have been compromised.
We also follow “best practices” with regard to WordPress Core and Plugin security updates that are especially important for businesses using the WordPress (or other) platforms. Find out why “auto-updates” are not the best way to protect your website and why best practices should always be followed, here.