There’s so much to do when you’re running your own business.
You need to fulfil client expectations. You need to find new clients. And you need to create new products and services for your existing clients.
With all this going on, it’s hard to find time to keep your website updated, especially to meet new regulations like the General Data Protection Regulations (GDPR).
And it can be very tempting to take shortcuts.
But these shortcuts can come back to bite you – and hard!
Case in point – the recent issues with the WP GDPR Compliance plugin.
Why People Used The WP GDPR Compliance Plugin
GDPR caused a lot of panic this year. Partly because most people didn’t really understand it, but certainly not helped by dodgy marketers fanning the flames in order to sell their products and services.
At it’s core, GDPR is pretty simple, – you need informed consent from EU citizens to collect any personal from them (including their email address), you need to protect the personal data you collect from them, and you need to give them a way to view, amend and delete the data you have on them.
Most of this is just good business practice.
And all of it is relatively easy to implement – if you know what you’re doing.
But when a plugin comes along that promises to take all of your confusion and worries away in one click, it’s easy to be tempted by such a shortcut.
Interestingly, the plugin clearly states:
ACTIVATING THIS PLUGIN DOES NOT GUARANTEE YOU FULLY COMPLY WITH GDPR.
Essentially, what it does do is:
- Add a consent checkbox to forms created in the most popular plugins
- Display a message that your site uses cookies and tracking scripts
- “Controls” the link to your Privacy Policy
All of this can be done without the need for another plugin.
But obviously it’s easier to have it “automatically” done for you.
The Consequences
As it turns out, this plugin had a major security flaw.
One that allowed hackers to create admin user accounts on sites with the plugin installed (never good).
Through those admin accounts, the hackers were able to do whatever they wanted, including:
- Uploading backdoor scripts to ensure continued access even if the accounts they added were deleted
- Taking sites offline
- Redirecting sites
- Installing malware on the visitor’s computers
- Capturing the personal information of visitors
Some of these issues can be cleaned up quickly, but most would take hours of work to recover from.
And the leaking of personal data can never be undone!
Those site owners now have to worry about whether they’re going to be hit with the big fines that can result from GDPR breaches.
The Lesson
Any time you add code to your site, there is the potential for something to go wrong.
Sometimes you get strange behaviour due to conflicts with the existing code on your site.
Sometimes your site crashes altogether.
And sometimes you open up a security hole that can be exploited by hackers.
Unless you can read and understand code, you really don’t know what you’re in for (WP GDPR Compliance had good reviews until this breach surfaced – there were no red flags on the plugin itself).
All you can do is carefully consider whether you really need a particular plugin, or whether there are other ways to accomplish your goal.
Sometimes, a little extra effort upfront can save you a lot of headaches later on.
Next Steps
Now would be a good time to have a critical look at all of the plugins currently installed on your site.
Remove those that aren’t being used (inactive plugins can be exploited too).
Then think about alternatives that might remove the need for others (so that they can be removed too).
And make sure any that are left are up to date (outdated code is one of the biggest security risks).
In the end, your site will not only be less vulnerable to attack, but it will run faster too 🙂
If this is outside of your zone of genius and you need someone experienced that can help you assess your website, then sign up for a Business Boosting Website Review and I’ll review everything for you.