PM Images / Getty Images
I am not a morning person, yet my alarm goes off at 5:30 am every day. This is because the editorial team I work with is on the East Coast, and I'm in Oregon. I do a quick check of email and Slack to make sure nothing is on fire, then settle down to a relaxed first cup of coffee. Once caffeinated, I'm fairly gruntled.
Unfortunately, one day in early June, my website was, at least figuratively, on fire. My hosting provider sent me a notice telling me that one of the plugins that kept the site secure had security vulnerabilities and needed to be deactivated.
Also: How to use ChatGPT to write code - and my top trick for debugging what it generates
Usually, when I receive such a notice, I just go to the plugin page on my site and run an update. This time, there was no update. Worse, when I went to that plugin's page on the WordPress repository (basically the app store for WordPress plugins), I saw this notice.
Screenshot by David Gewirtz/ZDNET
That was not a good sign. I did some research and found that the plugin had been listed as having cross-site scripting vulnerabilities, among other things. These vulnerabilities allow malicious users to inject nasty scripts into affected sites. It's not the sort of thing you take a chance on. I immediately disabled the plugin.
I immediately felt the effects.
What the plugin was protecting
The plugin in question served a very specific purpose on my site: it stopped registration spam. Registration spam is the practice of creating a ton of spurious user accounts on a site.
... continue reading