Last week, it was discovered that a very popular WordPress plug-in (Social Media Widget) was compromised with malware. Unfortunately, this was a plug-in that I frequently used for client sites, as well as my own, as an easy way to create icons that link to a client’s various social media pages and other contact methods (most commonly email, Facebook, and Twitter). This plug-in had a very good reputation, and apparently had been downloaded over 900,000 times.
What did I do?
At first, I was only aware that one of my client’s sites had a problem, so I set about to get it cleaned up. Once I realized this was an issue with the plug-in, I quickly set about to check out all the sites I had used it on. One other site was definitely compromised, but others were seemingly ok. For the compromised site, I immediately got rid of the plug-in and implemented a temporary fix. Then I got in touch with all my other clients to discuss the issue and how they would like me to deal with it. I didn’t want to be messing with an important part of their site (layout and contact) without their permission.
I decided that I wouldn’t be using that plug-in anymore, even though the author has since removed the malicious code and swears it’s safe to use again. So, now I had to figure out how to get the important contact info back up on all these sites. I looked around for a new plug-in to use, but none of them were as comprehensive as this one had been. In the end, I decided to skip the plug-in option completely. It’s just a bunch of icons and a bit of code. I can handle this on my own. So I spent a bit of time locating (and in one case creating) icons for all the sites and functions I needed, and then I coded it all myself. Not only does it look basically the same as the plug-in version, but I have more flexibility to customize it to suit each individual site better.
What’s the lesson?
Bottom line, plug-ins can be great tools, sometimes even invaluable. But sometimes it’s better to take a few extra minutes to code it yourself.