This past week an exploit was announced relating to the venerable Duplicator plugin.
The Duplicator plugin is frequently used to make a backup of a WordPress site for either archival purposes or for migration to another hosting account.
I quote from the article, “An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a WordPress site using the vulnerable version of the Duplicator plugin. This would allow them to download files outside of the intended directory. An attacker would need some knowledge of the target file structure or attempt to download commonly known files.”
The wp-config.php file is one of those files that can be very valuable to a would-be hacker. So this type of vulnerablity should not be taken lightly.
Suffice to say, I believe this is yet another wake-up call to folks regarding the installation of utility or single-use plugins like Duplicator.
Hint: Delete after use.
Below are examples of plugins I recommend that folks delete immediately after use:
Duplicator
Broken Link Checker
Image compression plugins like EWWW Image optimizer
File Manager
Child Theme Generator
Search Console (for GSC)
… and other single-use plugins you may routinely use.
Word to the wise: Whether a theme or plugin. If it’s not active just delete it. Your website will be happier in the long term if you do so today.
Do you know of other single-use plugins missing from my list?