WordPress Loginizer patch: are forced updates the way to go?

Earlier this month, administrators running the WordPress Loginizer plug-in were forced to patch it due to an important security update.

The update affected approximately 1 million people.

Data shows that 89% of websites running Loginizer have been patched.

Version 1.6.4 introduces an update that addresses an SQL injection vulnerability as well as a cross-site scripting flaw.

Even those who opted out of having their WordPress updates automatically installed have received the update.

This opens an intriguing debate: should such decisions ever be taken out of the users’ hands?

Chloe Chamberland, a threat analyst at Wordfence, believes that several things should be factored into the decision.

According to Chamberland, these are:

  • The criticality of the vulnerability
  • How easily it can be exploited
  • Permissions required to exploit it
  • Potential impact of the update

Due to how easy the Loginizer vulnerability was to exploit, she believes that a forced update makes sense.

In this case, all it takes to initiate an SQL injection attack is adding a simple apostrophe in the username during login.

In addition, the plug-in has a large userbase.

Mike Puglia, chief strategy officer at Kaseya, believes that website operators cannot be trusted to apply security updates in a timely manner, especially when this would disrupt their workflow.

Of course, there are downsides to forced updates.

Wordfence threat analyst Ram Gall said that malicious code could be bundled in one of the updates.

However, processes are in place to prevent this, and the WordPress plug-in team is tasked with reviewing a plug-in update prior to pushing it.

Another thing that Gall mentioned was the much more likely possibility of the updates causing bugs or incompatibilities.

In turn, this could introduce other security vulnerabilities unaccounted for by the update.

However, most vendors test their updates prior to release.

Finally, Gall said that it is good practice to keep security updates separate from functionality updates.