On March 18, 2023, a security vulnerability was discovered in Elementor Pro, a popular WordPress site editor plugin used by over 1 million websites. The vulnerability allowed attackers to upload arbitrary files to affected websites, which could then be used to execute malicious code or steal sensitive data.
The vulnerability was exploited by attackers to take over hundreds of thousands of WordPress websites. The attackers then used the compromised websites to host phishing pages, distribute malware, and send spam emails.
Fortunately Elementor has since patched this error and the issue seems to have been resolved. However, the damage from this breach has already been done and will have lasting effects for a lot of website owners who were using this software.
How Did This Hack Even Happen?
Long story short, it seems there was a broken access control issue that would allow hackers to take over Wordpress sites with the Elementor plugin installed that also used enabled instances of WooCommerce. The cause was mostly a lack of permissions checking in the code so low lever users could upload malicous content / malware.
Users with Elementor Pro should update to versions 3.11.7 or 3.12.0 to prevent any breaches from happening on their websites.
Even though Elementor and WooCommerce are widely used and pretty well built, they are also widely distributed and used by several million users worldwide. When systems like this are used at this level, it's only a matter of time before vulnerabilities are unintentionally created during the development process and exploited by opportunistic actors looking to do harm.
The Risks Of Using Wordpress or any other CMS (Content Management System)
Starting with the most obvious one, you can get hacked! Good thing it's actually not that common and fairly easy to prevent. That is, if you keep up with regular updates.
I'm not trying to say that Wordpress or other CMSs are inherently bad. What I am saying is that there are significant tradeoffs to using a CMS vs other options.
CMS vulnerabilities can occur in plugins, themes, or the CMS core itself. The code of these components is often open source, which means potential attackers have tremendous opportunity to easily identify and exploit vulnerabilities. Many website owners get into the habit of not updating their CMS version, active theme, or plugins regularly.
A good chunk of software updates to any of the aforementioned components are going to be security updates. Open source CMS software like Wordpress makes up a massive ecosystem of developers and users alike. The software it's also running on, PHP and MySQL/MariaDB, are both changing all the time. This causes developers to have to constantly update their software so they can accommodate those changes and patch up any new security flaws that pop up.
Add on top of that, typical software development that companies perform is to keep improving the plugins that their users depend on. Sometimes a new feature can have an exploit that doesn't get noticed right away. Often they will catch it before a hacker finds their way in, but not always.
CMS users can sometimes also susceptible to social engineering attacks, such as phishing attacks. One example would be if a hacker can upload their own software and redirect you to an identical site that grabs your info. Some of these look alike sites are incredibly convincing and have the ability to create a lot of victims before the exploit is discovered and patched up.
Content Management Sytem Alternatives
You have several options for building and managing your website. But it really comes down to one of two decisions: Ether do it yourself, or hire it out. That's the first thing you really need to decide.
The main reason anyone chooses to build their own website is typically to save money. Then, since most are not developers who know how to code in HTML & CSS, they use a content management system like Wordpress, or something else. While this can save a good amount of money up front, it can also cause a lot of issues down the line.
The main issue is vulnerabilities to getting hacked. If a CMS gets hacked and the site owner doesn't know how to fix it, they could be stuck with a serious mess that they can't get fixed on their own. It could get quite costly to have a developer come in and get the issues sorted out.
Another common issue comes from a lack of web development expertise. It's very common DIY websites to have a bad design, bad user experience, and all kinds of other issues. It's almost always better to not have a website at all than to have a website that creates a bad user experience.
Anyone who needs a website and is concerned with costs should still consider hiring at least a good freelancer to get the job done. There are actually a lot of low cost options out there where you can still end up with a solid end result.
Using a skilled developer to build your website offers several advantages. Firstly, developers have a deeper understanding of web development and data center systems, allowing them to create secure and scalable websites. Secondly, developers can tailor your website to your business needs, ensuring that it meets your specific requirements. Lastly, developers can provide ongoing maintenance and support, ensuring that your website remains up-to-date and secure.
These are all things that you will have to do in any case, so it's probably worth a look to see if you can find an option that's affordable to you.
Of course Sigma Sites has some if the lowest cost, high end website packages in the industry.
Make Sure You Know What You're Getting
So again, I have nothing against Wordpress or most other CMS tools for that matter. As long as these systems are kept up to date they are usually safe to use.
The thing to keep in mind though, is that a lot of so called “developers” use WordPress as well. Most do this because they're not actually developers, but rather marketers with design knowledge and the ability to use the basic functionality of Wordpress.
I don't think there's anything wrong with this as long as the developers shipping these solutions are providing you with a quality result and have a plan for keeping it all updated and well managed for you. Be sure you dont't pay a high, premium price for Wordpress or any other CMS sites where the developer uses a paid or already existing theme. Editing Wordpress themes isn't too difficult and you could be paying a very high markup. This is kind of a cottage industry right now and you're usually not getting the expertise you would from a knowledgeable web developer or agency that can actually design and build websites by writing out the code.
A website that runs within a code framework rather than a CMS is going to be far superior in performance and security. They are by far the best website solutions available for a non DIY website. A code framework is simply a program that lets a developer theme out a design so they don't have to change every single page on a website for a simple edit to the layout. The developer still has to code things out, but the framework makes them more efficient and cost effective. It also provdes them with a development platform and access to libraries, APIs, databases, and other things to build customer solutions for thier clients.
The bottom line here is if you hire a developer or agency, make sure to ask them what they will be building your website with and how will the be hosting it. If you don't plan on ever making changes yourself and don't need a lot of complex software, Wordpress or another CMS may not the best solution for you.
SUMMARY
The hack of the Elementor theme has exposed the risks of using CMS, such as WordPress. Using a CMS is convenient, but it also comes with risk. Dynamic websites driven by CMSs are vulnerable to attacks requiring ongoing precautions and security measures. Hiring a skilled developer to build your website could be the best option, as it offers security, customization, and ongoing support. Remember, prevention is better than cure when it comes to website security.
If you use a CMS like Wordpress to manage your website, make sure you update it regularly and use security plugins. Also make sure all the plugins are updated every time a patch or version update is released.
It's never a bad idea to shop for a skilled developer to build your website to avoid any issues with security and to have a solid user experience. Or at least to manage your current site for you to ensure continuity of quality.