In September 2014, it was revealed that the popular plugins Slider Revolution and Showbiz Pro had a critical security vulnerability that could allow attackers to access a site’s database or take over a site.
The big problem is Slider Revolution was bundled with thousands of WordPress themes being sold on sites like ThemeForest. When themes are bundled with plugins included, those plugins don’t show available updates in the WordPress admin panel.
After the September news, it was revealed parent company Theme Punch administered a silent patch in February 2014, and later notified potential theme owners when the vulnerability was exposed. This seven month gap in public information did little to help website owners who purchased themes from ThemeForest and other marketplaces.
In December 2014, it was revealed that the Slider Revolution vulnerability was still being exploited, this time by malware injector named SoakSoak. Over 100,000 WordPress sites were infected. This means there were at least 100,000 sites that didn’t know or didn’t care about the vulnerability.
And that’s what this article is really about.
If You Build Websites For Clients, Consider This
It’s not a crime to use a theme marketplace like ThemeForest or Template Monster as a starting point for building a website. For thousands of web firms, this is the normal workflow. Pre-built themes save countless hours of developmental time, and allow developers to focus on the functionality that is missing.
But we can’t rely on theme developers or theme marketplaces to handle security for us. We have to be that filter. We, as web consultants, have to choose the paths that are lowest in risk.
Let me ask you some serious questions. How many sites do you currently maintain?
Is it ten? Twenty? Fifty? A hundred?
How many of those sites have third-party plugins bundled in them? Slider Revolution is one plugin. Are you updating all of the other plugins bundled in marketplace themes manually? How are you keeping track of when those plugins need updating?
If you are updating these bundled plugins manually, do you charge your clients for updating those plugins via a maintenance agreement? What happens if some clients don’t want or can’t afford a monthly maintenance package? Do you still update those plugins, or do you let it go?
What happens if their site gets infected because of a plugin vulnerability that you didn’t know about? What happens to your client sites if you part ways with the client, and they still have that bundled theme?
If you’re a web professional, I’m not not asking these questions to piss you off. I’m asking these questions to make you think.
Best practices, workflows, and processes are all things that evolve as we learn more and continue to grow. What worked well for us a year ago might not be such a great idea today.