We will explain why “‘unused plugins’ are an attack vector in WordPress – the difference between removal vs. disabling.
Pathway for WordPress program vulnerabilities to be attacked
The main routes of attack for WordPress program vulnerabilities are as follows
1 Vulnerability in admin-ajax is used to attack
WordPress has a built-in back-ground communication mechanism called admin-ajax.
Many plug-ins use this mechanism, and some plug-ins may use this function in a way that allows vulnerabilities to manifest.
Hackers can send queries to admin-ajax that exploit this vulnerability to perform various hacking activities.
This type of attack is not effective if the vulnerable plugin is deactivated.
2 Vulnerability of inadequate use of WordPress functions is exploited.
In addition to admin-ajax, WordPress has various built-in functions. If a vulnerability is exploited in a way that does not directly access the plugin’s files, it will not be effective if the plugin is deactivated.
This type of vulnerability can be exploited by using the REST API, a communication interface external to WordPress, or by using shortcodes defined in the plugin (shortcodes can be deactivated). (Shortcodes cannot be executed by plugins that have been deactivated.)
3 Program vulnerabilities are directly accessed and used in attacks
Some vulnerabilities can be used by hackers for attacks by directly accessing program vulnerabilities.
This type of vulnerability can be used for attacks even if the plug-in is deactivated.
For example, the following vulnerabilities can be used for attacks even when plug-ins are deactivated.
https://wp-doctor.jp/blog/vulnerabilities/litespeed-cache-exploit-cve-2023-40000/
The reason why the following code is inserted in many plugin files is to prevent vulnerability attacks by direct file access.
if ( ! defined( ‘ABSPATH’ ) ) {
exit; }
}
This code checks for an undefined ‘ABSPATH’ if the plugin is deactivated, and forces the process to exit if there is none. However, vulnerable plug-ins may not have this direct access prevention code inserted
4 Backdoors and other malicious programs installed by another hacker are reused in the attack
Although this type of attack is very common, it is often not related to the presence or absence of plug-ins or deactivation of plug-ins, since the hacker has already been allowed to enter and install backdoors, etc., if the attack is successful.
We recommend that you remove any plug-ins that you have deactivated.
Some site operators believe that deactivated plug-ins will not be used for hacking.
This may result in deactivated plug-ins that are very out of date, increasing the risk of vulnerability.
Since there are so many vulnerabilities that can be exploited by directly accessing files even when deactivated that they cannot be ignored, we recommend that deactivated plug-ins be removed from the server.
In most cases, deactivated plug-ins are not used in their entirety, so there is no problem with removing them. However, if you are concerned, we recommend that you perform a full site backup before deleting the plug-in.
Click here for WordPress vulnerability testing, malware scanning removal, and plug-ins.
This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.
