Three out-of-date plugins are responsible for 25% of all WordPress hacks

Rusty lock hanging open on an old wooden gate

Serious advice from the makers of the iThemes Security plugin

A very interesting and helpful article was published by Sucuri that looks at security vulnerabilities. The article identifies the top 3 plugins that are left on sites OUTDATED and cause nearly 25% of the total WordPress compromised sites they see: TimThumb, Revslider, and Gravity Forms. Remember to ALWAYS, ALWAYS update your WordPress sites and plugins.

Source: iThemes WordPress Weekly Recap

It can be hard to tell whether your site uses TimThumb (a now-obsolete technology that used to help images resize automatically) or Revolution Slider as they were often built into themes rather than added by users.  Which means you might not see them in your plugin list.

While TimThumb tech was widely used by many free theme builders, Revolution Slider is a for-pay plugin that was often added to paid-for themes.  GravityForms is a very good form-building plugin that’s usually bought by end users or their webmasters.

While good premium themes and plugins are often worth the money, most require a yearly renewal fee to keep their licenses, and software, up to date.  Almost by-definition an out-of-date website is going to have let its licenses lapse.  That can make updating harder.

The alternative, however, is it also makes sites more vulnerable.

The solution?  Three good ones would be

  • Update your site if you can
  • Re-license your older themes and plugins
  • Switch to newer themes and plugins and keep those up to date.
  • Use a hosting company, CDN or other firewall service, or install a security plugin to help block access to these particular vulnerabilities.

You don’t have to hire RealBasics to do these things if you’re not sure how (though of course we’d be happy to help.)  But either doing it yourself or finding someone who can help you check for vulnerabilities and fix them if necessary.


David Innes,

I've been building and maintaining websites since 1997 and building and supporting similar hypertext-driven software since 1987. I've done maintenance, support, and maintenance for physical and digital systems since 1981. And no, I still haven't seen it all but by now I usually know where to look. More about David Innes...