If Wordfence is correct, the whole Mossack Fonseca shit-show might have been caused by an outdated WordPress plugin, Slider Revolution! That’s if the data was indeed hacked, as MF asserts, and not handed over by a concerned party, as the ICIJ claimed.
But it does reveal something I’ve been concerned about a lot, following Wordfence and making sure my sites are secure: the security risk of premium themes and premium plugins. Slider Revolution was bundled with a theme I run on one of my sites – and I never used it, partly because whether it updated was completely dependent on whim of the theme author.
So luckily I removed that plugin months ago – which is a good general security rule:
Don’t Use It? Ditch It.
The bundled plugins are tied to the theme, and such are only updated when or if the theme author does so. And if your support slot ends, you’re left high and dry – hence exploits of premium plugins such as WonderPlugin and Slider Revolution. Especially as these themes bundle the plugins with functionality essential to the theme, but don’t include the actual plugin licenses to enable any automatic updating. Really shady, almost as shady as those dodgy tax deals! So what are they selling you, exactly?
They won’t automatically update via the WordPress Store (since that would be free, wouldn’t it?) And even if you have some fancy Theme Plugin to update the theme, the plugins don’t update automatically (no licenses to do same, or the mechanism requires you to update plugins manually). Big, big security hole. And interestingly a lot of modern themes seem to be shells for the bundled plugins? Not very optimal.
And given the fact that all of my themes don’t even seem to understand the basic idea of, say compressed images, minify, expiry headers, running Javascript/CSS below the fold or any of the 101 Google Pagespeed stuff, I’m wary of also subcontracting my security updates to some bored developer.
So this is why I usually look for free plugins and themes I can adapt that can be updated freely, or have free autoupdate channels. I do buy themes and plugins, and want to support the people who create them…but not at the risk of being left with an unsupported theme or plugin with massive holes in it. Sadly my experience of buying themes is usually the developer loses interest after the first year or two, leaving you to support it – even if you pay them extra.
Yes this happens with free plugins or themes, but at least with those there is the possibility if they are open source that others can jump in and take them over, it tends to be less on/off. And also less galling – it’s not cheap to buy a theme nowadays – £40-80+ you expect something more that a fly-by-night approach. Whereas sourcing another free plugin is a simple task.
To be honest I think for the future the freemium approach is probably best – like with this theme for Radio Clash (Tracks), I bought extra functionality but the basic theme is free, so updates happen regularly and easily. You buy add-ons, rather than the whole theme…I’ve been burned by themes not working as promised, and as premium themes are not easily testable before buying, has soured my relationship with that method of getting themes. Or they have bugs that are never fixed, despite promises to do so…as with my current portfolio theme, despite paying for 6 months support! (And no plugin licenses either, so obviously I’ll have to pay again after that period ends, but I might pay the plugin authors rather than the authors of the fairly basic ‘shell’ theme)
So really, this is a plea for premium theme authors to think about security (and think about making your work open source or freemium). And to not just bundle loads of plugins to create the essential functionality that you sell your WordPress theme on, and if you do make sure they can be updated automatically or include ALL the licenses for each plugin.
Otherwise people are slowly just going to avoid anything ‘premium’ since it will be seen as a security risk, all because of some coding cowboys who want a quick buck but don’t care about data leaks like this one. In this case it was good to find out who was evading tax, but it might not have been. Next time it could’ve been a hospital, a refugee organisation, a political party under an oppressive regime, a children’s site and so on.
Leave a Comment! Be nice….