WordPress Plugin being exploited. Delete inactive plugins

For the past few days an increasing number of WordPress websites have been infected by attackers exploiting a vulnerability in the WordPress plugin: WP Mobile Detector. The plugin with over 10,000 active installs was at one point removed completely from the WordPress repository with no patch available. However, as of today the WP Mobile Detector plugin has been patched to address the vulnerability. Please update to version 3.6+ as soon as possible.

WP Mobile Detector — WordPress Plugins

WP Mobile Detector automatically detects standard and advanced mobile devices and displays a compatible WordPress mobile theme. “The vulnerability is very easy to exploit,” Sucuri security analyst Douglas Santos wrote. “All the attacker needs to do is send a request to resize.php or timthumb.php (yes, timthumb, in this case it just includes resize.php), inside the plugin directory with the backdoor URL.” Researchers at Sucuri posted yesterday that attacks against WordPress sites with the plugin installed started on May 27. The zero-day was disclosed on Tuesday by Plugin Vulnerabilities, a WordPress security site. The flaw allows an attacker to upload arbitrary files.


Delete unused WordPress themes and plugins

There is no good reason, I repeat, no good reason to leave unused plugins or themes installed in your WordPress installation. Delete them. That said, it is extremely common that I’ll login to clients’ wp-admin panels and notice several inactive plugins just sitting there. The main reason you want to delete inactive plugin is Security. An attacker might discover an exploit that leverages unused themes or plugins. WP Mobile Detector being a good example, if you have this plugin installed and disabled/inactive, you would still be vulnerable. Apart from security, removing unused plugins and themes (and the saved data they leave behind) can also improve WordPress performance.

After you delete plugins, they often leave behind data saved in your wp_options MySQL database table. You can inspect and remove/clean your wp_options table for performance gains by using phpmyadmin or a plugin such as Clean Options. Be careful with this plugin, it provides you access to deleting unused but also used wp_options data. Also, delete this plugin when you are finished with it. Its old and not maintained. If you can suggest an alternative that dives into the wp_options table and displays the contents of rows saved, please let me know. I’ve been relying on Clean Options much to long. Post your suggestions below.

Tags: ,

WordPress Plugin being exploited. Delete inactive plugins

5 Responses

  1. I’ve heard it’s a good idea to leave one other theme besides your main theme installed. In the event your primary theme starts having issues for whatever reason you can just activate the other theme.

    What are your thoughts on this idea?

    Thomas June 6, 2016 at 5:01 pm #
    • Personally Thomas I think it is a good idea to keep an extra theme around in case of troubleshooting. As long as you keep the theme updated along with the rest or your site and use a mainstream theme that you know is maintained, you should be relatively safe :)

      Mike December 29, 2017 at 11:05 am #
  2. A plugin to move then zip all inactive plugins with a password would do the job. I have several inactive plugins as they are used occasionally, so this would be a great idea.

    dawesi June 7, 2017 at 12:27 pm #
  3. Can you recommend a plugin or application to sweep through my WP sites to locate any unused plugins? Thanks

    Gone Marshall September 14, 2017 at 11:16 am #

Leave a Reply