For the past few days an increasing number of WordPress websites have been infected by attackers exploiting a vulnerability in the WordPress plugin: WP Mobile Detector. The plugin with over 10,000 active installs was at one point removed completely from the WordPress repository with no patch available. However, as of today the WP Mobile Detector plugin has been patched to address the vulnerability. Please update to version 3.6+ as soon as possible.
WP Mobile Detector automatically detects standard and advanced mobile devices and displays a compatible WordPress mobile theme. “The vulnerability is very easy to exploit,” Sucuri security analyst Douglas Santos wrote. “All the attacker needs to do is send a request to resize.php or timthumb.php (yes, timthumb, in this case it just includes resize.php), inside the plugin directory with the backdoor URL.” Researchers at Sucuri posted yesterday that attacks against WordPress sites with the plugin installed started on May 27. The zero-day was disclosed on Tuesday by Plugin Vulnerabilities, a WordPress security site. The flaw allows an attacker to upload arbitrary files.
Delete unused WordPress themes and plugins
There is no good reason, I repeat, no good reason to leave unused plugins or themes installed in your WordPress installation. Delete them. That said, it is extremely common that I’ll login to clients’ wp-admin panels and notice several inactive plugins just sitting there. The main reason you want to delete inactive plugin is Security. An attacker might discover an exploit that leverages unused themes or plugins. WP Mobile Detector being a good example, if you have this plugin installed and disabled/inactive, you would still be vulnerable. Apart from security, removing unused plugins and themes (and the saved data they leave behind) can also improve WordPress performance.
After you delete plugins, they often leave behind data saved in your wp_options MySQL database table. You can inspect and remove/clean your wp_options table for performance gains by using phpmyadmin or a plugin such as Clean Options. Be careful with this plugin, it provides you access to deleting unused but also used wp_options data. Also, delete this plugin when you are finished with it. Its old and not maintained. If you can suggest an alternative that dives into the wp_options table and displays the contents of rows saved, please let me know. I’ve been relying on Clean Options much to long. Post your suggestions below.