Solid Security Pro Feature Spotlight – Version Management

Version Management is a great tool that makes managing updates of WordPress core, themes, and plugins a breeze. Applying security updates as soon as possible, if not automatically, is an essential security feature for every WordPress site. Used alongside other Solid Security features, like our firewall and virtual patching, Version Management will reduce your security risks nearly to zero.

What is Version Management?

With Solid Security’s Version Management feature, we’ve made it easy for WordPress site owners and administrators to be alerted about any vulnerable versions of plugins and themes they have installed on their sites. Version Management also makes it easy to manage updates by selecting in advance which plugins can be updated automatically

Do you need Version Management for your WordPress website?

Updating software is essential to any security and website management strategy. Updates aren’t just for bug fixes and new features. Updates can also include critical security patches. Apple products, for example, frequently receive security updates. If you do not apply them, your phone, tablet, laptop, and desktop computers are vulnerable to attack. Your router or wireless access point at home and work needs periodic updates, too. So do printers, web servers, and web applications like WordPress. Any software or programmable hardware connected to a network can be compromised through unpatched vulnerabilities.

Between automatic updates (with exceptions where you need them) and virtual patching, you can nearly eliminate your site’s target surface from vulnerable software.

Patch Tuesday

It is an industry-standard practice to disclose vulnerabilities publicly on the day they are patched. “Patch Tuesday” is the unofficial name for the regular bug and security fixes that Microsoft releases on the second Tuesday of every month. It is fantastic that Microsoft publicly discloses its security vulnerabilities and releases security fixes with such a reliable cadence. However, software with known vulnerabilities becomes an easy target for cybercriminals.

Exploit Wednesday

After a vulnerability is publicly disclosed, the vulnerability becomes a “known vulnerability” for outdated and unpatched software versions. So, on the Wednesday following Patch Tuesday, it is common to see many attackers exploiting a previously unknown vulnerability on outdated and unpatched systems. This is why the Wednesday following a Patch Tuesday has been unofficially named “Exploit Wednesday.”

Who targets patched vulnerabilities — and why?

All kinds of attackers target patched vulnerabilities because they know people don’t apply updates quickly, including the plugins and themes on your website. Criminals looking to rob, defraud, or extort people search for vulnerable websites to infect with ransomware or hijack for phishing and other fraud.

Nearly a billion WordPress websites that require continual software updates and attentive user management to stay secure are a large and easy target. As a WordPress site owner, you are responsible for watching for and applying security updates just as you must for your computer and phone.

Responsible Disclosure

You might be wondering why a vulnerability would be disclosed if it allows hackers to attack the affected software. Typically, security researchers report vulnerabilities to the software owners and other parties responsible for the affected software.

Following responsible disclosure practices, the researcher’s initial report is made privately to the affected company’s development team. Both the security researcher and affected software developers agree that the full details will be published once a patch has been made available. There may be a slight delay in disclosing the vulnerability if it is considered severe enough to give more people time to patch.

The security researcher may provide a deadline for the software developer to respond to the report or to provide a patch. If this deadline is not met, the researcher may publicly disclose the vulnerability to pressure the developer to issue a patch.

Publicly disclosing a vulnerability and seemingly introducing a Zero Day — a type of vulnerability that has no patch and is being exploited actively in the wild — may seem counterproductive. But, it is the only leverage a researcher has to pressure the developer to patch the vulnerability.

If a threat actor were to discover the zero-day vulnerability independently, they could quietly exploit it while the software companies responsible for it leave the vulnerability unpatched.

Google’s Project Zero has guidelines for disclosing vulnerabilities proactively — a practice we follow at SolidWP and all WordPress brands under StellarWP. Google publishes the full details of new vulnerabilities after 90 days, whether they have been patched or not.

Outdated plugins and themes are the leading sources of WordPress vulnerabilities.

One person can’t keep track of every disclosed WordPress vulnerability. Whole teams of people working on security research at places like Patchstack help find and report on vulnerabilities — often in the hundreds every week. (And 90-95% of all WordPress vulnerabilities each year are in plugins. The rest are in themes. Very few emerge in WordPress core.)

We follow Patchstack’s work and share their findings in our Weekly WordPress Vulnerability Reports, which you could use to check against the versions of the plugins and themes you have installed on your website. But why bother when you can let Solid Security’s Version Management tool do that work for you every day?

WordPress Core’s Auto-Updates vs. Solid Security’s Version Management

I know what you are thinking: “Doesn’t WordPress have an option to auto-update?” Yes, thanks to the addition of auto-updates in WordPress 5.5, this is true, but the auto-update features in Solid Security Pro are far more robust.

Let’s take a minute to compare the core WordPress and Solid Security Pro auto-updates.

WordPress Core: Auto-Updates

WordPress core offers only two options for plugin and theme auto-updates, enabled or disabled. They are disabled by default.

Site administrators may enable plugin auto-updates in the WordPress admin back-end on the plugins list page:

Using the Bulk actions tool, you may select multiple or all plugins and enable or disable auto-updates for them.

The auto-update toggle is somewhat hidden on the screen for each theme you have installed:

Solid Security Version Management: Auto-Updates

The Version Management update scheduler can disable auto-updates or automatically update any plugin or theme immediately when an update becomes available. It can also delay updates for a period of time you define.

Here are four ways Solid Security Pro Version Management offers more flexibility than the default WordPress auto-updates:

1. Streamlined plugin and theme management. You can “set and forget” your core, plugin, and theme update rules from the version management settings.
2. Custom delay periods for plugin and theme updates. WordPress’s default auto-updates can be activated or disabled per plugin. It is all or nothing. Once activated, updates will be applied immediately. This is a terrible idea for any new, major release where an update is important but likely to be followed by many bug reports and fixes. Solid Security’s update scheduler allows you to create custom delay periods before the auto-updates kick in. Delaying can be a good option for plugins or themes that often need follow-up releases to fix issues after a major release.
3. Automatically update a plugin or theme if it fixes a vulnerability. If Solid Security Pro’s Site Scanner finds a vulnerable plugin or theme on your site, Version Management can automatically look for an update and apply it.
4. Apply a virtual patch to vulnerable code when no update is available. If no update is available, Solid Security Pro will look for a virtual patch from Patchstack to apply and protect the vulnerable code from attack. If Patchstack considers the vulnerability medium or high-risk or sees it being attacked in the wild or likely to be attacked, they will issue a virtual patch.

All of this can be set in place to work without any action on your part when a vulnerability emerges on your site.

With automatic updates (with exceptions where needed) and automatic virtual patching, you can nearly eliminate your site’s risk of being compromised due to vulnerable software. User security management and authentication hardening form the other primary risk area for WordPress sites, and Solid Security has you covered there too.

Solid Security: Plugin and Theme Updates

Here’s what custom update rules look like per plugin:

Selecting the Custom option provides three different choices for your plugin and theme updates.

1. Enable – Choose which plugins you want to update immediately after a new release.
2. Disable – Use this option for plugins that you want to update manually.
3. Delay – The delay option allows you to set how many days you want to delay an update of a release. This can be a good option for major releases.

As we can see, the Custom auto-updates setting offers much more flexibility than WordPress’s on or off auto-update option.

How to Use Version Management in Solid Security Pro

To start using Version Management, navigate to Security › Features › Site Check. Then scroll down to the Version Management Settings. Open them and set Plugin and/or Themes Updates to “All” to apply auto-updates to every plugin and theme or “Custom” to set unique update rules for each plugin and theme.

There are a few other settings to consider activating as well:

• WordPress (Core Updates) – Automatically install the latest WordPress release. This is a safe setting on simple sites and for minor, maintenance and security releases. Complex sites should handle core updates with caution. Apply major updates to WordPress core only after testing and studying their potential impact.
• Scan For Old WordPress Sites – Run a daily scan of your hosting account for other WordPress sites that may have been set up and abandoned. Forgotten, outdated sites could allow an attacker to compromise the server.
• Auto Update If Fixes Vulnerability – This option complements the Solid Security Pro Site Scan to check your website for known core, plugin, and theme vulnerabilities. Solid Security will apply security updates when they’re available if this feature is activated.

Wrapping Up

Vulnerable plugins and themes, especially in combination with weak user security, make WordPress websites easy targets for cybercriminals. You can increase your security by updating outdated, vulnerable software on your site as quickly as possible. The Solid Security Pro Version Management feature lets you automate this process by applying automatic updates to your plugins and themes immediately or after a delay period you define. With Solid Security Pro’s virtual patching, user management tools, and stronger forms of authentication, you can reduce your risk as close to zero as possible.