Our WordPress sites use a variety of plugins to enhance basic site functionality. Sometimes these are plugins that we ourselves have written to meet a specific need for one or more of our WordPress installations. More often than not, however, we make use of both open-source and proprietary third party plugins to extend functionality.
Plugins are a fantastic and important aspect of the WordPress ecosystem, but they don’t come without some risk. Installing a plugin is allowing someone else’s code to run on our servers and on your site: if there are problems or vulnerabilities in that code, it can make the server and site insecure. When plugin security vulnerabilities are discovered, they are assigned a CVE score which provides an indication of the severity of the risk.
It is critical that we keep your site and our servers secure, so we are very choosy about what plugins we install on our server infrastructure. Even trusted, well-vetted plugins can have vulnerabilities, however, and we do our best to keep your site safe by keeping plugins updated to their latest and most secure versions. There are a few situations in which updating plugins is not possible, out of our hands or comes with known negative consequences; how we respond depends on the severity of the security risk.
Abandoned plugins
Not all plugins are actively maintained, so it’s possible for a security flaw to be identified with no patch made available to resolve it.
Proprietary plugins
Some plugins require the purchase of an active subscription or license key in order to access the latest updates. If we don’t have the license keys available for vulnerable plugin we’ll contact you to attempt to obtain the necessary information to perform an update.
Breaking changes
In some cases, updating the plugin will introduce breaking changes (changes that will negatively impact how your site looks and/or works).
Low to medium CVE score vulnerabilities
If no update is available, you are unable to provide us with license information, or if an update with breaking changes patches a vulnerability that is rated low or medium on the CVE scale, we will:
- make you aware of the vulnerability
- give you the option to either update or hold the plugin back at an older, insecure version
If you choose to cease updating the plugin, we’ll ask you to confirm in writing that you accept the risk that your site may be compromised, releasing SMILE from liability in the event of a security event arising from the unpatched plugin.
High to critical CVE score vulnerabilities
If a vulnerability has been rated high or critical on the CVE scale the option to refrain from updating is not available. We will either delete the plugin if an update is not available to us or apply an update even if the update will have known negative effects on your site. In these cases, we will:
- notify you of the vulnerability, its severity, and the expected consequences of the plugin removal or update
- give you time to make any necessary changes to your website before we remove the plugin or apply the update
After a reasonable amount of time has elapsed, we will take action. Accepting diminished site functionality or a breaking change is better than the security implications of a serious vulnerability.
We don’t take decisions to remove plugins or introduce breaking changes lightly, and we’re always happy to answer any questions you may have and support you however possible.