In 2014, Sucuri noticed a major security hole in the WordPress plugin Slider Revolution.
The problem did not lie with the developers of the plugin as they quickly addressed the issue. Problems arose because Slider Revolution was packaged with so many WordPress themes. When a WordPress plugin is packaged with a WordPress theme in a marketplace such as ThemeForest, the plugin cannot be automatically updated. Instead, an updated version of the plugin is released when a new version of the theme package is uploaded.
Because of this, tens of thousands of WordPress users continued to use a vulnerable copy of Slider Revolution for months as the developers of themes were not quick to respond to this problem. Unfortunately, many more WordPress users continue to use the vulnerable version of Slider Revolution today because the themes they are using have not been updated over the last year.
As long as developers include WordPress plugins with their themes, this problem will always be around.
Lightning Does Strike Twice
One of the problems with Slider Revolution being compromised is that it such a popular plugin. It is the second biggest selling WordPress plugin on CodeCanyon and is packaged with a huge number of WordPress themes.
The best selling WordPress plugin on CodeCanyon is, of course, Visual Composer. It is apparently being used on more than half a million websites.
I am sad to report that Visual Composer is the latest premium WordPress plugin that has a major security vulnerability.
I was notified about this via an email from Envato on 10 October.
Hello Kevin Muldoon,
We are getting in touch to let you know about multiple XSS security vulnerabilities in the Visual Composer WordPress plugin versions prior to 4.7.4 (releases prior to October 2, 2015). This plugin was included in items you’ve purchased (listed below).
We have been working with WP Bakery, the creators of Visual Composer, who have addressed all identified vulnerabilities and undertaken a code audit to ensure that it is as secure as possible. Theme authors whose items include Visual Composer have been instructed to make sure their items accommodate this upgrade. Items that include older versions of Visual Composer will be disabled from the market until this change is made.
Affected Items
Your items that include Visual Composer:
- Magazin
What You Should Do
In order to secure your item from these vulnerabilities we strongly encourage you to update to version 4.7.4 or later as soon as possible. We recommend you take the following steps to secure your sites immediately, after first backing up your WordPress site.
Visual Composer Plugin Update Steps
- Log in to codecanyon.net and proceed to download the latest version of Visual Composer to your computer from this URL:http://codecanyon.net/item/visual-composer-page-builder-for-wordpress/242431
- Locate and unzip the downloaded plugin file.
- Connect to your server using an FTP client and upload the js_composerdirectory (from the downloaded zip file) to the wp-content/plugins/directory. (Note: This will overwrite the old Visual Composer files with the secure versions.)
- Log into WordPress and navigate to the Plugins page to confirm the Visual Composer plugin is version 4.7.4
The link to the latest version, provided above, will be live for 3 weeks from the time this email was sent. After this period, you will need to access the latest version via your theme zip file.
Please note: This replaces the existing plugin under the licensing of the theme(s) you’ve purchased and is only licensed for use in these themes.
Your Security is Our Priority
We take security seriously at Envato. When we receive security vulnerability reports for items sold on our marketplaces, we work as quickly as possible to validate the report, investigate risk and determine the best course of action for the security of our community.
On behalf of the plugin creator and Envato, we’d like to apologize for this inconvenience and assure you that security is and always will be our priority.
Regards,
The Envato Team
I have to give kudos to Envato for sending out an email to everyone who has purchased a theme that comes packaged with Visual Composer. It is clear that they are trying to limit the damage that will be caused by this security hole.
By offering a free update to all verified users of the theme, they are being pro-active about this issue and reducing the number of people affected.
Despite the best intentions of Envato, I still believe that the trend of including premium plugins with WordPress themes can a dangerous one.
Firstly, we need to acknowledge the fact that everyone will not view the email to Envato and respond to it.
Yes, you could take the other side of this argument and say that anyone who does not respond to this email only has themselves to blame if their website is hacked; however, that ignores the fact that we all receive dozens of emails every single day. I receive an overwhelming volume of emails from companies every single day and most get deleted, sent to my spam box automatically, or just ignored.
Second, we are assuming that the person who purchased the WordPress theme which came packaged with the plugin still maintains the website. That is not always the case.
For example, many design companies purchase WordPress plugins for client’s websites. However, after they have designed the website for a client, they may not have any dealings with them. This means that the client’s website will contain many outdated premium plugins because they cannot get access to updates.
This is common than I previously thought. When I recently helped out a friend with his website, I found that none of his plugins had been updated in years.
The owner of a website, or the webmaster who has been hired to administrate it, is ultimately responsible for updating WordPress plugins. However, if that person is not able to access updates to premium plugins, their hands are tied.
Surely Including WordPress Plugins with Themes is a Good Thing?
I do not want you all to think that including premium WordPress plugins with WordPress themes is all bad; because it is not.
WordPress plugins allow developers to add a lot more functionality to a WordPress theme. It makes sense to use a refined solution to a product rather than spend months developing your own solution. In other words, there is no reason to reinvent the wheel.
Visual Composer is a hugely popular choice with theme developers because it allows them to quickly add a user-friendly page building solution to their theme. Slider Revolution is a popular inclusion as it adds slider and gallery functionality to a website.
Good themes can become great themes because of the inclusion of high quality WordPress plugins like them. It is therefore easy to understand why they are packaged with so many designs.
Why Aren’t Packaged Plugins Updated Immediately?
For my recent review of the Storesy WordPress theme from CommerceGurus, Simon Tomkins explained why they cannot immediately update their theme zip package when a premium plugin is updated.
He noted that they need to do a lot of testing when a plugin is updated to ensure it does not cause any conflictions with their WordPress theme.
If they allowed packaged plugins to be updated automatically, there is a risk that customer websites could crash because of a confliction between the plugin and theme. CommerceGurus primarily sell eCommerce themes, therefore a couple of hours of downtime for one of their customers could cost their customer thousands of dollars (if not more).
This explains why WordPress theme developers prefer to wait to release an updated version of plugins. Unfortunately, not all WordPress theme developers are as pro-active about testing plugins as CommerceGurus.
One of the problems with marketplaces such as ThemeForest and Mojo Themes is that developers have little incentive to continue improving and maintaining their WordPress themes unless they are selling well. This explains why so many WordPress themes in marketplaces have not been updated in years and why many more have been removed from sale altogether.
When you buy a WordPress theme that has just been released through a marketplace, it can be a bit of a lottery as to what you will receive. Your theme could be dropped by the developer after a few months or it could be updated regularly for a couple of years. It really is down to luck.
What Can Be Done?
When I heard about the security issue with Visual Composer, my initial reaction was that theme developers need to stop including premium plugins with their themes.
However, I do not believe such a drastic step is necessary as there are a lot of benefits from including established plugins with themes. Particularly if those plugins are regularly updated and actively supported.
This is how I believe we can solve this security dilemma.
- When a WordPress user activates a premium plugin that was included with a theme, they will be asked to enter a license code (to ensure they are eligible for product updates)
- Once the plugin is updated, a notice will be displayed in the plugins section of WordPress that advises there is a new version of the plugin available
- The notice will encourage the user to wait for the developer to test the plugin against their theme and to contact the theme company if they want a status update about the issue
- An option to update to the latest version of the plugin will also be made available
- A warning will be displayed in bold that stresses that this version has not been tested by the theme developers and the customer updates the plugin at their own risk
- Before the customer can update the plugin to the latest version, a message will be displayed to them stating they should not proceed until they have taken a backup of their website
Essentially, what we would have would be a two-tier plugin update system. WordPress users would have the option of updating to the latest version of a plugin such as Visual Composer as soon as it is released; however by doing so they have to accept the risks involved.
They will be strongly encouraged to wait for the theme developers to test the plugin.
This setup will also encourage theme developers to test plugin updates regularly. It may also discourage theme developers from including any old plugin with their themes. In theory, this setup will ensure that theme developers only package premium plugins that are actively supported.
All users of packaged plugins will see update notices within the WordPress admin area and if a designer created a website for you and no longer maintains it, you will still be able to update the premium plugins you use on your website.
I would love to hear your thoughts on all of this. Particularly those who sell WordPress themes for a living.
Do you think this solution would work? Or do you think there is a better way to ensure that WordPress users are not vulnerable to security issues.
Thanks for reading.
Kevin