In the Feature Spotlight posts, we highlight a feature in iThemes Security Pro and share a bit about why we developed the feature, who the feature is for, and how to use the feature.
Today we are going to cover Version Management, a great tool that makes managing updates of WordPress or themes and plugins a breeze.
Why We Developed Version Management
Keeping software updated is an essential part of any security strategy. Updates aren’t just for bug fixes and new features. Updates can also include critical security patches. Without that patch, you are leaving your phone, computer, server, router, or website vulnerable to attack.
Patch Tuesday is the unofficial term to refer to the regular bug and security fixes that Microsoft releases the second Tuesday of every month. It is fantastic that Microsoft releases security fixes on such a reliable cadence. Patch Tuesday is also the day that the security vulnerabilities that Microsoft patches are publicly disclosed.
On the Wednesday following Patch Tuesday, it is common to see many attackers exploiting a previously known vulnerability on outdated and unpatched systems. So, the Wednesday following a Patch Tuesday has been unofficially coined as Exploit Wednesday.
Why Do Hackers Target Patched Vulnerabilities?
Hackers target patched vulnerabilities because they know people don’t update (including plugins and themes on your website). It is an industry-standard to publicly disclose vulnerabilities on the day they are patched. After a vulnerability is publicly disclosed, the vulnerability becomes a “known vulnerability” for outdated and unpatched versions of the software. Software with known vulnerabilities is an easy target for hackers.
Hackers like easy targets, and having software with known vulnerabilities is like handing a hacker the step by step instructions to break into your WordPress website, server, computer, or any other internet-connected device.
You might be wondering why a vulnerability would be disclosed if it gives hackers an exploit to attack. Well, it is very common for a security researcher to find and privately report the vulnerability to the software developer.
With responsible disclosure, the researcher’s initial report is made privately to the developers of the company that owns the software, but with an agreement that the full details will be published once a patch has been made available. For significant security vulnerabilities, there may be a slight delay in disclosing the vulnerability to give more people time to patch.
The security researcher may provide a deadline for the software developer to respond to the report or to provide a patch. If this deadline is not met, then the researcher may publicly disclose the vulnerability to put pressure on the developer to issue a patch.
Publicly disclosing a vulnerability and seemingly introducing a Zero Day–a type of vulnerability that has no patch and is being exploited in the wild– may seem counterproductive. But, it is the only leverage that a researcher has to pressure the developer to patch the vulnerability.
If a hacker were to discover the vulnerability, they could quietly use the Exploit and cause damage to the end-user(this is you), while the software developer remains content on leaving the vulnerability unpatched.
Google’s Project Zero has similar guidelines when it comes to disclosing vulnerabilities. They publish the full details of the vulnerability after 90 days whether or not the vulnerability has been patched.
Outdated Plugins & Themes is the #1 WP Vulnerability
It is hard to keep track of every disclosed WordPress vulnerability—we keep track and share them in our WordPress Vulnerability Roundups—and compare that list to the versions of plugins and themes you have installed on your website. However, this doesn’t stop WordPress hackers from targeting plugins and themes with known vulnerabilities. Having software with known vulnerabilities installed on your site gives hackers the blueprints they need to take over your website.
At the end of 2018, hackers were actively taking advantage of an exploit in the WP GDPR Compliance plugin. The Exploit allowed unauthorized users—people not logged into a website—to modify the WP user registration settings and change the default new user role from a subscriber to an administrator. Thankfully, the WP GDPR Compliance plugin developers acted fast and released a patch for the vulnerability the day after it was publicly disclosed.
But, just like with Exploit Wednesday, hackers targeted the vulnerability even though a patch had been released. In the days and weeks following the WP GDPR Compliance vulnerability discloser, we received a flurry of reports that WordPress websites were hacked by attackers exploiting the vulnerability.
Having a vulnerable plugin or theme for which a patch is available but not applied is the number one culprit of hacked WordPress websites. THIS IS SO FRUSTRATING!!!!! This means that most WP hacks could have been prevented.
It is upsetting to think about all of the people who spent tons of money getting their website cleaned, the revenue they lost while their sites were down, and the future revenue they lost to losing their customer’s trust. It makes it even more upsetting when you know all of that anguish could have been prevented with a simple update.
With Version Management, we wanted to make it easier for people to manage updates and help prevent them from using versions of software with known vulnerabilities.
What is Version Management?The Version Management feature in iThemes Security Pro allows you to auto-update WordPress, plugins, and themes.
Beyond that, Version Management also has options to harden your website when you are running outdated software and scan for old websites.
WP Auto-Updates vs. Version Management
I know what you are thinking: “Doesn’t WordPress have an option to auto-update?” Yes, thanks to the addition of auto-updates in WordPress 5.5, this is now true, but the auto-update features in iThemes Security Pro are far more robust. Let’s take a minute to compare WP and iThemes Security Pro auto-updates.
Let me start by saying that I think WordPress adding auto-updates is great for the future of WordPress. The WordPress community adopting auto-updates means fewer websites will be hacked. Fewer websites getting hacked will lead to fewer people having the false perception that WordPress is an insecure platform.
Auto-updates will also lead to plugin and theme developers pushing better releases. If we know that our customers are relying on auto-updates, we will make sure our releases don’t need a series of followup releases to fix bugs that were introduced with the initial release. This will help change the perception that WordPress requires more manual maintenance compared to other platforms.
Here are the three ways iThemes Security Pro Version Management offers more flexibility compared to the default WordPress auto-updates.
- Streamlined plugin and theme management – manage all of your plugin and theme updates from the version management settings.
- Add custom delay periods for plugin and theme updates – WordPress auto-updates only offers the option to apply updates immediately. The update scheduler allows you to create a custom delay. Delaying can be a good option for plugins or themes that tend to need some follow up releases to fix issues after a major release.
- Only Apply Updates that Fix Known Vulnerabilities – only apply updates that fix known vulnerabilities. This option is perfect if you like to manually run all of your updates but want to receive security patches immediately.
WordPress offers two options for plugin and theme auto-updates, On or Off. You will enable plugin auto-updates on the WordPress Plugins page.
The theme auto-update option is kind of hidden in the theme details page.
Version Management Auto Updates
Version Management update scheduler has options to disable auto-updates, update immediately, or delay updates for as long as you like. Plus, you can configure both plugin and theme update schedules in the Version Management settings.
Alright, let’s hop in the settings and take a closer look at the different Version Management options.
How to Use Version Management in iThemes Security Pro
To get started using Version Management, enable the module on the main page of the security settings.
Now click the Configure Settings button to take a closer look at the settings.
- WordPress Updates – Automatically install the latest WordPress release.
- Plugin Updates – Automatically install the latest plugin updates. Enabling this setting will disable the WordPress auto-update plugins feature to prevent conflicts.
- Theme Updates – Automatically install the latest theme updates. Enabling this setting will disable the WordPress auto-update theme feature to prevent conflicts.
- Strengthen Site When Running Outdated Software – Automatically add extra protections to the site when an available update has not been installed for a month.
- Force all users that do not have two-factor enabled to provide a login code sent to their email address before logging back in.
- Disable the WP File Editor (which blocks people from editing plugin or theme code).
- Disable XML-RPC pingbacks, and block multiple authentication attempts per XML-RPC request (both of which will make XML-RPC stronger against attacks without having to turn it off completely).
- Scan For Old WordPress Sites – Run a daily scan of the hosting account for old WordPress sites that could allow an attacker to compromise the server. A single outdated WordPress site with a vulnerability could allow attackers to compromise all the other sites on the same hosting account.
- Auto Update If Fixes Vulnerability – This option works in tandem with the iThemes Security Pro Site Scan to check your website for known WordPress, plugin, and theme vulnerabilities and apply a patch when one is available.
Plugin & Theme Updates
Now let’s take a closer look at configuring plugin and theme updates. Before we get started, I wanted to give a quick reminder that enabling the plugin and theme update settings will disable the WordPress auto-update feature to prevent conflicts.
Both the Plugin and Theme Update Settings have three choices.
- Blank/None – Leaving the setting blank will allow WordPress to manage the plugin and theme updates.
- Custom – The Custom option allows you to customize the updates precisely to your liking. We will cover this more in just a bit.
- All – All will update all your plugins or themes as soon as an update is available.
Now let’s take a closer look at the Custom option.
Selecting the Custom option provides three different choices for your plugin and theme updates.
- Enable – Choose which plugins you want to update immediately after a new release.
- Disable – Use this option for plugins that you want to update manually.
- Delay – The delay option allows you to set the number of days you want to delay an update of a release. This can be a good option for developers that tend to need some follow up releases to fix issues after a major release.
As we can see, the Custom auto-updates setting offers a lot more flexibility than WordPress’s on or off auto-update option.
Having a vulnerable plugin or theme for which a patch is available but not applied is the number one culprit of hacked WordPress websites. That means the majority of WordPress hacks can be prevented simply by updating.
The iThemes Security Pro Version Management feature lets you manage your automatic updates on your schedule. iThemes Security Pro has you covered whether you want to install all new updates as soon as they are released or only if the update fixes a vulnerability.