Unplug Those High Risk WordPress Plugins!

WordPress is a free and open source blogging tool based on PHP and MySQL that has evolved into a full content management system (CMS) with a plug-in architecture and a template system that extends its power and functions beyond basic expectations.

Because of its open source nature, one of the greatest benefits WordPress users enjoy is that hundreds of people all over the world are free to use it, work on it, and develop other products based on it that get plowed back into the WordPress marketplace and community. This has resulted in tens of thousands of plugins and themes flooding the market today. However, this freedom has also made WordPress a popular target for attacks, especially 3rd party plugins that fail to go through or pass coding standards and security guidance or requirements, making it vulnerable to hackers and malicious mass infections.

In a recent research conducted by Checkmarx, a security solutions provider using automated code analysis, it identified that more than 20% of the most popular WordPress plugins are vulnerable to web attacks.

According to the Report:

20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.

  • these plugins are vulnerable to: SQL Injection (SQLi), Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and Path Traversal (PT).

7 out of top 10 most popular e-commerce plugins are vulnerable to common Web attacks. This amounts to more than 1.7 million downloads of vulnerable e-commerce plugins.

There is no correlation between the number of Lines of Code (LOC) and the vulnerability level of the plugins.

  • the smaller the code does not necessarily mean the safer the code. On the contrary – some plugins that included only a few thousand lines of code contained more types of vulnerabilities than plugins containing tens of thousands lines of code.

Vulnerable top 50 general plugin types vary.

  • – e-commerce, feed aggregators, APIs, social network linking

Only six plugins were completely fixed in a 6-month time period – although all plugins updated their versions during this time.

  • A first scan ran in January 2013 showed a higher rate of vulnerable plugins where more than a third (18 out of 50) of the plugins were vulnerable. In total, this meant that nearly 18.5 million vulnerable plugins were downloaded. Vulnerabilities in that first scan also presented the existence of RFI/ LFI vulnerabilities.

Recommendations

WordPress plugin vulnerabilities affect three major parties: the web admins, the plugin developers, and WordPress itself. Below are some of the recommendations stated in the report.

For Web Admins

  • Download plugins only from reputable sources. For WordPress, this means WordPress.org
  • Verify the security posture of the plugin by scanning it for security issues
  • Ensure all your plugins are up to date
  • Remove any unused plugins

For Plugin Developers

  • Integrate security within the plugin development
  • Run the plugin through a code scanner to ensure that it stands up to a security standard

SMBs or simple home-based businesses that do not have a built-in or sophisticated IT department to go through all these checks and balances, run a high risk of vulnerability because of the great deal of trust they place in available 3rd party plugins (especially the free ones). Web administrators need to be more discerning and thorough in their research before installing any plugins on the sites they manage. Plugin developers need to be self-governed and abide by security coding best practices. As each one does his part, this ensures that the whole WordPress community stands to benefit in the end.

Popular WordPress Plugins Updated for Security

In an article on WordPress Plugin vulnerabilities, we mentioned that the top 50 most popular plugins were tested for security and vulnerability by Checkmarx, a leading provider in application security. The first scan was conducted in January 2013 where it was discovered that more than a third of the 50 plugins were vulnerable. The second scan, conducted in early June 2013, was performed on the updated versions of all plugins. However, only six of these updates were free of those previously found vulnerabilities. These were:

BuddyPress

– creates a social network for the organization. # Downloads: 1,319,743.

A BuddyPress Plugin is a program, or a set of one or more functions, written in the PHP scripting language, that adds a specific set of features or services to the BuddyPress site, which can be seamlessly integrated with the site using access points and methods provided by the BuddyPress Plugin API. BuddyPress allows easy modification, customization, and enhancement to a BuddyPress powered WordPress site. Instead of changing the core programming of BuddyPress, you can add functionality with BuddyPress Plugins.

BBPress

– forum software. # Downloads: 483,28. Alerted by Checkmarx to their vulnerabilities.

bbPress is forum software, made the WordPress way – simple to setup, fully integrated, multisite forum, simple interface, customizable templates, highly extensible

E-Commerce

– shopping cart plugin. # Downloads: 2,209,352.

WP e-Commerce is a free WordPress Shopping Cart Plugin that lets customers buy your products, services and digital downloads online.

WooCommerce

– an e-commerce store. # Downloads: 469,503

WooCommerce is a free, powerful WordPress eCommerce plugin. With the extendability of a huge catalog of commercial themes and extensions we have all the tools you might need to get your shop running. Transform your WordPress website into a thoroughbred eCommerce store, delivering enterprise-level quality and features whilst backed by a name (WooThemes) you can trust.

W3 Total Cache

– site optimization by caching. # Downloads: 1,450,980. Most likely fixed as part of a security overhaul following an external full disclosure of some vulnerabilities.

W3 Total Cache improves the user experience of your site by increasing server performance, reducing the download times and providing transparent content delivery network (CDN) integration.

Super Cache

– site optimization by caching. # Downloads: 3,984,976. Most likely fixed as part of a security overhaul as with W3 Total Cache.

A very fast caching engine for WordPress that produces static html files. This plugin generates static html files from your dynamic WordPress blog. After a html file is generated your webserver will serve that file instead of processing the comparatively heavier and more expensive WordPress PHP scripts. Supercache really comes into it’s own if your server is underpowered, or you’re experiencing heavy traffic. Super Cached html files will be served more quickly than PHP generated cached files but in everyday use, the difference isn’t noticeable.

Note: Downloads statistics are as of the time of the tests.

WordPress Plugins for Front End Content Management

As the internet continues its path towards building stronger online communities, greater interconnectivity and increased social networking, website owners are opening up their doors to accepting content contributions from their audiences. To address the issue of privacy and confidentiality, some plugin developers have come up with front-end solutions to enable website owners to accommodate contributions from the community without compromising their backend controls.

Here are some useful plugins you can use to put everything you need for posting, editing, and uploading content on the front-end.

Front-End Editor by Scribu

Front-end Editor is a plugin that allows you to edit your content directly from the front end of your site. This comes in really useful when all you need is just to correct a typo or something you overlooked.

Front-End Uploader

This plugin is useful if you have multiple contributors to your site because this plugin allows them to generate content and easily upload it right on the frontend of your website. Essentially, the plugin is a customizable upload form that adds files with allowed MIME-type to your WordPress Media Library under a special tab “Manage UGC”. There you can moderate your user submissions – whether to: Approve, Delete, or Re-attach to other post/page/custom-post-type before they are officially published.

Frontend Checklist

Create HTML or PDF checklists your visitors can save or print anytime they come back to your site. These lists are saved via cookies which enables visitors to continue using the checklist where they left off when they re-visit your site.

MarketPress FrontEnd

MarketPress Frontend is a powerful ecommerce plugin that can be used to set up a stylish online store easily. This WPMU Dev created plugin can help you: manage orders, create and edit products, product tags, and categories, set up store settings such as shipping, payment gateways, and coupons, all through the front end. This means that all your confidential dashboard information will be hidden away from sellers or other users who don’t need to see all that information.

FV Community News

Need more content but challenged? This plugin allows users to contribute articles while still maintaining full control over what gets published.

With this Community News plugin you allow your visitors to add fresh or related content to your blog. This plugin comes with a moderation panel and a settings page including support for custom post types, images, widgets, and shortcodes. You can simply sit back and relax knowing that your blog will have a continuous supply of fresh content.

Just make sure that the plugins are compatible with your current WordPress version before you install any of them.

WordPress Plugins 2013: Trends

WordPress themes, free or premium, come with common, basic features and functionalities upon installation. Some are built in together with the WordPress version you are using while others come with the theme you plan to use and install. Technically, these plugins are a set of one or more functions, written in the PHP scripting language, that adds a specific set of features or services to the WordPress weblog. Simply put, these plugins offer new additions to your blog that either enhance features that were already available or add otherwise unavailable new features to your site. Here are some of what we think will be the WordPress Plugin Trends for 2013:

Jetpack Plugin

The JetPack plugin supercharges your self?hosted WordPress site with the awesome cloud power of WordPress.com. You can activate this plugin if you have an existing blog on WordPress.com. Once connected and activated, several awesome features available on WordPress.com like: Contact Form, Gravatar Hovercards, Shortcode Embeds, Spelling and Grammar, and many others become available to your self-hosted site. All this is powered by WordPress.com’s cloud infrastructure.

WordPress SEO Plugin by Yoast

This popular plugin designed and developed by WordPress Consultant Joost De Valk. WordPress SEO is the most complete WordPress SEO plugin that exists today for WordPress.org users. It incorporates everything from a snippet preview and page analysis functionality that helps you optimize your pages content, images titles, meta descriptions and more to XML sitemaps, and loads of optimization options in between. It has recently been updated and is now compatible with WordPress 3.5.

ALO EasyMail Newsletter

One of the best ways to connect to your market is to get them to subscribe to your newsletter via email. It is also one of the most tedious things to do if you do not have an ARS (auto responder system) provider who will automatically distribute your newsletter. ALO EasyMail Newsletter is a great email marketing marketing tool that allows you to gather and manage subscribers and write and send newsletters right within WordPress. It also supports internationalization and multi language requirements.

WP Smush.it

Improving your page ranking is not just about having the right keywords. Fast loading pages are now part of the equation. WP Smush.it is a plugin that offers an API that performs image optimizations like optimizing JPEG compression and converting certain GIFs to indexed PNGs automatically to help improve site performance. As sites continue to become more image intensive, plugins like this are helpful in managing load rate.

Photonic Gallery for Flickr, Picasa, SmugMug, 500px and Instagram

Social networking has branched out into different streams and has integrated images into its arsenal. Hence the popularity of Pinterest and Instagram. Photonic takes all that and lets you use the WordPress gallery shortcode and ramps it up with a lot of added functionality including glamming up your social networking images like Instagram. It supports Flickr photos, Photo sets, Galleries and Collections, along with Picasa photos and albums, SmugMug albums and images, 500px photos and collections, and Instagram photos and users. You can also enable authentication for your site visitors that will let them see private and protected photos from each provider.

WordPress 3.5 has been released so some of these plugins may need to be updated to work with the latest WordPress update. Please check the developers’ links to see of they have a version compatible with the latest update.

Popular WordPress Plugins from CodeCanyon

Plugins are becoming more and more a necessity in putting up a website. These little programs significantly augment the capabilities of themes to produce more robust and highly functional awesome websites. Here are some plugins you may find very useful for your site:

UberMenu WordPress Mega Menu Plugin

Are you tired of ordinary menus that come with your purchased themes? No worries. Ubermenu is a plugin designed to enhance existing plugin capabilities of any theme. This plugin turns your theme’s menu into flyouts or mega menus. Defining the hierarchy of menu items is as easy as dragging and dropping your options. Flyouts are easily created by ordering and indenting menu options. Mega menus can be created easily starting with a tick in the mega menu options. The rest of the steps are relatively simple. This powerful plugin is fully responsive, ensuring your menus are optimized and will look great on mobile devices.

LayerSlider WP – The WordPress Parallax Slider

If you want to do away with flat boring slideshows, Layerslider is a must-have plugin for you. With Layerslider, you can display slides made up of your images layered together for a more stunning 3d look. It’s not surprising that your slides will look like an elegant pop-up book page. Animation of each slide component may be configured and controlled to create dramatic transitions. This plugin is also responsive and SEO friendly.

Slider PRO – WordPress Premium Slider Plugin

Creative professionals constantly seek unique and interesting ways to display their creative works before an audience. These professional artists tend to be more meticulous and demanding of portfolio themes that will be used to display their portfolio on their websites. Slider PRO is an amazing plugin that gives web designers a myriad of slider options like transitions, effects, skins and so much more. This plugin can really turn ordinary sites into powerful portfolio websites for creative professionals.

JackBox – Responsive Lightbox – WordPress Plugin

Here’s another plugin for creative professionals. JackBox – Responsive Lightbox – WordPress Plugin is a neat plugin that allows you to create that lightbox effect even on mobile devices and smartphones. Portfolio or image and video rich sites can take advantage of this plugin to keep their desktop presentations consistent even in mobile format.

Foobar WordPress Notification Bars

This special plugin allows you to create notification bars on your site. You can flash reminders to visitors with a notification bar at the top of the web page to highlight important announcements or information. This can also be used as a source for additional monetization opportunities particularly for websites with themes that don’t have any space for ad widgets. FooBars also allows you to display your social media buttons so visitors can contact you in the social web.

Check out these plugins and give your website that extra edge from the rest. Visit Codecanyon for more WordPress plugins.

Not Your Usual WordPress SEO Plugins To Try

WordPress as a Content Management System, in itself, is already a good platform for SEO goals because of the way it is structured. But you can always make a good thing better if you want to. Check out these fresh SEO plugins that you might not have heard of but might help make your SEO efforts yield even better results.

Premium SEO Pack for WP

This plugin in gives you a whole array of tools to help you optimize your site’s visibility in internet searches. The plugin includes monitoring tools like Google Analytics, SERP tracking, On-Page and Off-Page optimization tools, the premium Mass Optimization feature that allows you to optimize all your posts and pages at once. Another cool on page feature is Local SEO. This allows you to rank your pages based on the geographic locale. Other noteworthy on page features are: title & meta format, sitemap, SEO slug optimizer, SEO feature optimizer and google authorship. The SEO pack also includes Link Builders, Backlink Builder, Social Stats, Page Speed Insights, Smush It, and also an SEO code insert feature.

WordPress SEO Post-Optimizer

WordPress SEO Post-Optimizer plugin assists you in optimizing page rank posts. This plugin checks your posts againsts SEO criteria, checks for keyword density (the right amount of keywords in a post), and autochecks for the SEO score of your post every 15 seconds. The SEO scores are expressed in percentage. A real time check on the amount of words is also done in recognition of the fact that search engines usually prefer content with more than 300 words. The plugin also checks if the post has images or not and also if there are links to older posts on your blog to improve your internal content structure. The Post Optimizer plugin also checks for internal links, the usage of h-tags and alt-tags, and bold, italicized, or underlined keywords in your post.

Rankie

Rankie is a WordPress Rank Checker plugin that helps you keep track of WordPress rankings on Google keeping a close eye on each keyword position. The plugin allows you to track an unlimited number of keywords on Google and keeps updating these ranks daily. You can also check out ranking trends per week, month or all time. The plugin is also a great keyword research tool that helps you generate keyword lists by suggesting possible alternatives to keywords of interest. You can track unlimited number of keywords ranking on Google and keep updating these ranks daily as it works as a WordPress SERP plugin, generate ranking reports per month, per year or by all time letting you know how ranking is going up or down with details on every single position change for each tracked keyword, including many other helpful tracking functions.

Ultimate Video SEO Plugin

Ultimate Video SEO Plugin is an advanced stand alone plugin for WordPress which covers all aspects of Video SEO. It automatically fetches video SEO details from videos of all major video hosting providers and submit it to a video sitemap. What can it do? It supports self hosted videos in all WordPress supported video formats. It notifies search engines whenever a sitemap is updated or generated. It supports video embedded through shortcode or metabox (created by third party plugins or theme). It supports self hosted videos embedded using default WordPress media gallery. It adds schema.org video object markup to all your video posts/pages. It shows snippet preview of video search results within your post editor.

Meta Tags Optimization

Meta Tags are keywords used by search engines to find useful information. A lot of times the title and nature of the content may not be associated with the right meta tags. The Meta Tags Optimization plugin advices the admin whether the page is optimized correctly, by highlighting with green and red colors the Meta Tags that are found on the page. While the plugin will not tell us what tags to add or eliminate, it will highlight with red the incorrect inputs. This plugin gives useful information to the writer by highlighting meta tags on the page that may not be the best suited for the content. This plugin also lets you optimize meta tags for posts/pages by providing you clear instruction to repair your meta tags.

Opt In Plugins for WordPress

Placing a strategic call to action on your website such as subscribe, register, download, purchase, etc. can make a difference in your conversion statistics. Make it easy for your audience to perform the CTAs you want them to with these opt in plugins for WordPress.

Magic Action Box

Magic Action Box is an easy to use but powerful lead generation plugin that lets you create a focused and high converting feature box in minutes. It let’s you display professional looking opt-in forms and feature boxes in your WordPress site. This plugin makes it easy to create powerful calls to actions and helps users to focus on one thing while presenting the CTAs in sleek professional looking action boxes without the need of a designer. This plugin also integrates with Gravity Forms to build complex, powerful and beautiful contact forms in just minutes.

OptinSkin

OptinSkin allows you to add eye-catching opt-in forms and social share boxes to your blog easily. One great feature of this plugin is the ability to split-test all the elements of your opt-in form (buttons, color, text, covers, images, etc. to find out which one visitors respond to the most. Another feature worth noting is the the Fade feature which allows the form to fade into your content – a great way to address ad blindness. This plugin also works with all major email marketing services and easily integrates with any of them. You also have the option to earn through your opt-in box by enabling an (optional) affiliate link. OptinSkin can be used on multiple websites you own without purchasing additinal copies.

Email Pickup

Email Pickup allow you create simple and powerful landing pages with email capture form. This is handy when you promote your products, for “Coming soon” pages, and for creating multiple subscribers lists for your newsletters. You can easily add forms to pages and posts using a special button or using a shortcode. This plugin also integrates with INinbox.

WangGuard

WangGuard protects your registration page against sploggers, spam users and unwanted users from gaining access to your website’s resources without the use of complicated captcha. This plugin cleans your database from unwanted users from within the Users panel. This plugin protects the standard WordPress, WordPress Multisite, BuddyPress and bbPress 2.0 registration forms. WangGuard is fully compatible with Standard WordPress (non-multisite), WordPress MU, WordPress Multisite, BuddyPress (multisite and non-multisite), bbPress 2.0, and plugins like WooCommerce.

Email Newsletter

Email Newsletter plugin gives you the option to send HTML Mails/Newsletters to registered users, commenters, subscribers, and users who contact you. This plugin gives you several options to: setup an email subscription box, send a newsletter to subscribers, add an unsubscribe link in the newsletter, export or import email addresses, send an auto email to new subscribers, and receive admin email notification for every new subscriber who joins.

Hybrid Connect

Hybrid Connect is a powerful plugin that allows you to create and customize your own opt-in form, display it strategically on your website (sidebar, footer, widget, slide-in, squeeze page, pop up forms, video, etc.), and improve your conversions by testing the elements in your opt-in form to produce the best results. Hybrid Connect is easy to use and requires absolutely no technical knowledge or coding skills. Hybrid Connect also features the easiest and most highly customizable opt-in form builder – the Hybrid Connect form builder – to help you create opt-in forms that match your website’s style without any coding knowledge required. This plugin also supports all major auto responder services.

WordPress dot Org Plugins You Might Have Missed

WordPress dot org has some powerful plugins that you might not have discovered yet. Check out these cool plugins that just might be the solutions you have been looking for. Some of these plugins are still in the draft or development stage as of this writing.

Admin Color Schemes

The Admin Color Schemes plugin brings some personality to your WordPress site with 8 new extra admin color schemes. If you want to add some fun and pizzazz to your WordPress backend for that not so formal look, check out this cool plugin to create the color scheme that matches your personality.

WordPress Importer

The WordPress Importer plugin will import the following content from a WordPress export file: posts, pages and other custom post types, comments, custom fields and post meta, categories, tags and terms from custom taxonomies, authors, etc. The importer also has a couple of filters to allow you to completely enable/block certain features. Take note though that if your exported file is very large, the import script may run into your host’s configured memory limit for PHP.

Debug Bar

The Debug Bar plugin adds a debug menu to the admin bar that shows query, cache, and other helpful debugging information. This plugin is a must for WordPress developers. This plugin tracks PHP Warnings and Notices to make them easier to find when WP_DEBUG is enabled, and mysql queries are tracked and displayed when SAVEQUERIES is enabled. This plugin is extremely helpful for theme and plugin developers, just make sure that plugin is installed correctly.

WordPress Front-end Editor

The WordPress Front Editor plugin is a simple and easy to use plugin that allows you to navigate between the front and back end where you can access more advanced options such as custom fields, edit content, etc. This plugin is still in the development stage.

WordPress Front Editor

The WordPress Front Editor plugin is a simple and easy to use plugin that allows you to navigate between the front and back end where you can access more advanced options such as custom fields, edit content, etc. This plugin is still in the development stage.

Tumblr Importer

The Tumblr Importer plugin allows you to import posts, drafts, and pages including media side loading (for audio, video, and image posts) from a Tumblr blog into a WordPress blog. It correctly handles, post formats, does background importing, and will not create duplicate imported posts.

Blogger Importer

The Blogger Importer plugin allows you to import posts (published, scheduled, and draft, comments, and categories (blogger tags) from a Blogger blog then migrates authors to WordPress users.

Membership Plugins For WordPress January 2014

WordPress is a proven powerful tool you can use to create your own website any way you want it. What’s also great about it is that you can take it even further and enhance its functionality to suit your needs with the help of plugins. From personal blogs to eCommerce sites to BuddyPress to so many other types of websites – a plethora of options is available out there for WordPress users.

One of the many ways you can use WordPress for is to make it function as a membership site where you can allow users to register, access or deny specific functions and sections, or create a social hub where fellow users can interact with each other.

Here are some popular WordPress plugins that can turn your website into a fully featured membership site:

Member Mouse

MemberMouse is an easy to use WordPress membership plugin that allows you to sell products, subscriptions and memberships, setup a password protected member’s area, offer 1-click upsells and downsells, manage customers, automate customer service, track critical retention metrics and more. No matter where you’re starting from, MemberMouse has the power you need to maximize revenue and get your business running like a well-oiled machine.

MemberMouse gives you everything you need to easily manage a successful online business. No matter if you sell digital products, subscription content, software as a service, or ship physical goods, MemberMouse provides a flexible platform that you can quickly shape to your business, with absolutely no programming required. This powerful plugin gets you up and running quickly, and handles many of the common tasks in your business, freeing you to focus on your value proposition.

Membership by WPMU Dev

Membership is a flexible, powerful, easy-to-use WordPress plugin for dividing your website into free and premium content. It’s a plugin built by WPMU Dev with WP Multisite in mind that can transform your entire network into a fully featured, multi-tiered membership and subscription site s o you can host a variety of membership sites, for yourself or for clients. Features include: a drag and drop interface to customize according to your exact specifications, control how access to any content or functionality is given, works with BuddyPress, add payment gateways easily (Authorize.NET AIM, 2Checkout, PayPal Express, etc.), built with WP Multisite in mind.

Restrict Content Pro

Restrict Content Pro is a complete membership and premium content manager plugin for WordPress developed by Pippin Williamson. This plugin can help you create an unlimited number of memberships levels, including free, trial and premium. Manage members and their subscriptions, track payments, offer discounts with a complete discount code system, and provide premium, members-only content to your subscribers.

Restrict Content Pro includes a complete member management system that lets you easily view all active, pending, expired, cancelled, and free users. Member’s subscriptions can be added or modified at anytime. This premium plugin is integrated with PayPal payments where all subscription payments are made via PayPal, allowing extremely fast and secure transactions.

Paid Memberships Pro

Paid Memberships Pro is a customizable WordPress Plugin and support community for membership site curators. PMPro’s rich feature set allows you to add a new revenue source to your new or current blog or website and is flexible enough to fit the needs of almost all online and offline businesses. Integrated with Stripe, Authorize.net, or PayPal® for recurring payments, flexible content control, themed registration, checkout, and more to help you process all your business transactions. You can: name and control access for unlimited membership levels. Members are added as a WordPress User at the subscriber level in addition to their selected membership level during registration, create your Payment Gateway with any of the built in payment options and then paste your API information into the plugin’s setup page, control access for each membership level offered, and so much more.

WP eMember

WordPress eMember is a powerful WordPress Membership Plugin that can help you build a secure and reliable fully featured WordPress membership site easily. This easy to install plugin lets you selectively protect articles by creating various membership levels (example: Free, Basic, Premium, Ultimate etc.) and protect the content (posts, pages, comments etc) of your site. The plugin manages all the membership management side of things. Key features include: content protection where you can create different membership levels and select what content (posts, pages, categories, comments) can be viewed by each membership level., unlimited membership levels where you can create “Basic”, “Premium”, “Ultimate”, or any other levels you want, Multi Site License – you can use it on as many sites as you own, Autoresponder Integration – can be integrated with Autoresponders (AWeber, MailChimp, GetResponse) so that members automatically get signed up to your list/campaign for email marketing purpose, and so much more.

Discover the many benefits of creating a membership site with these plugins and build your network faster than ever.