Why the WooCommerce Critical Vulnerability Shows the Value of Maintaining Your Website

A vulnerability with one of your themes or plugins is never ideal. Though, when the plugin in question is the number one e-commerce platform in the world, you could upgrade the feeling to “catastrophic”. WooCommerce is the plugin in question, and it had to be patched fast to fix a critical vulnerability affecting all users.

While the issue is now patched, it does bring up a question: What should you do if a vulnerability crops up like this again, and how can you mitigate it? The answer has some complexities, but in short, you have to employ a robust maintenance plan and maybe hire experts to look after your site.

Over the next few sections, we’re going to discuss the recent vulnerability with WooCommerce. We will give you the context on how development teams chose to respond, and how you can prevent this kind of situation affecting you in the future.

Explaining the WooCommerce Critical Vulnerability

Despite our heading, it’s tough for us to explain the security flaw found in WooCommerce – it hasn’t yet been disclosed, other than that it’s a “critical vulnerability”. Still it is important enough that there was a 24 hour turnaround between disclosing the issue and patching it.

The vulnerability notice came through Automattic’s HackerOne page. For the unaware, this is a ‘bug bounty’ site where a company will pay ethical hackers to find exploits in its software.

hacker one

In fact, this isn’t only a WooCommerce issue. It also affects the companion WooCommerce Blocks plugin too. As such, almost every site running WooCommerce 3.3–5.5 and/or  WooCommerce Blocks 2.5–5.5 has a need to update.

The Response to the Vulnerability

The turnaround between the ethical and responsible disclosure to resolution was around a day. Given the scope of the vulnerability, this is a fantastic response from the WooCommerce development team.

The developers created a patch fix for over 90 versions of the e-commerce plugin back to version 3.3. This saw automatic deployment to all affected sites.

While the team is still investigating the issue, they do recommend that site owners update passwords as a precaution. There is no suggestion that any site as yet is affected. Even so, there’s been a rapid response to a potential ruinous situation.

How Regular Site Maintenance Can Mitigate the Impact of Vulnerabilities

We admit, without taking apart every theme and plugin on a regular basis to inspect its code, it’s hard to know in advance whether an issue will arise.

Our advice is to remain vigilant when it comes to new updates. There’s value in waiting until the dust has settled on a new update before applying it. In contrast, you may still run afoul of an issue when you do update. Especially if the vulnerability is found at a later date.

As such, you need to make sure that your site can handle malicious attacks. There are a few ways you can do this:

  • As we noted, give yourself a two week window to watch out for any vulnerabilities or other issues. In that time, you should be safe to update. Of course, if the current patch fixes a vulnerability, you should carry out an immediate update.
  • Install a dedicated Web Application Firewall (WAF) at the server-level to create a suitable barrier in case of attacks. A plugin such as Wordfence includes a WAF, but this isn’t a server-side solution. Instead, Sucuri and Cloudflare both offer this option.
  • Keep regular backups, in case there’s a breach and you need to restore your site. This is more about mitigation than active prevention – a safety net in case the worst happens.

In addition, you can implement an auditing and maintenance plan to help plug leaks in your security provision. You can go further than this, and look at installing all updates on a staging site while you wait out the two-week window.

You may even want to think about using extra login security, such as Two-Factor Authentication (2FA). While this might not stop any specific threat, shoring up your site like this makes it as safe as possible. With your backup as a safety net, you have everything in place to protect your site as well as possible.

How a Service Such As WP Tech Support Has Your Back

Of course, you don’t have to handle security and maintenance on your own. WP Tech Support is a team of experts when it comes to looking after WordPress websites.

wordpress support plans

Using a support service such as us can take a load of your mind, and a few extra items off of your to-do list. What’s more, you’re entrusting your site’s security and maintenance to experienced experts in the field.

While we offer regular, general maintenance of your site, we can get our hands dirty in other ways too.

For example, we have plans to help you carry out site optimization and performance tuning, malware removal, and one-off fixes. In fact, WP Tech Support can give you flexibility, and meet your needs rather than shoehorn our services into your workflow.

In Conclusion

There’s never a good time to encounter a vulnerability with your WordPress website. Though, you might not expect to get an automatic patch for WooCommerce. Even with this in mind, having a regular maintenance and security plan in place is a stellar and sensible idea for every website.

While there’s plenty you can do at a core level to protect your site from vulnerabilities, you might also want to call the experts. WP Tech Support is on hand to take maintenance off your plate, and we’d love to chat further about your needs.

Has this WooCommerce vulnerability affected your sites? Let us know in the comments section below!

Leave a Reply

Comment policy: We value comments and the time that visitors to our blog spend to give feedback. Please note that all comments are manually moderated and any deemed to be spam or promotional will be deleted.