In an attempt to contact and inform site owners, Google has sent out official reminders, warning of the use of outdated WordPress plugins. If you remember back in 2014, the Slider Revolution plugin was attacked and exploited, leaving over 100,000 WordPress websites infected. Part of the reason this happened was that, because the plugin was included within a bundle, some webmasters weren’t aware they were even using it. Though they may have installed a specific theme package, they would not have remembered installing this particular plugin. RevShare, the company behind the plugin, also never announced that it had been exploited, even though they were aware of the issue at the time. So, instead of site owners updating it through the WordPress plugin dashboard, they were unaware they had it, never fixed it and, as a result, were left vulnerable to attacks and exploitation.
These reminders are not a new concept for Google. The company has previously sent out notices to site owners reminding them to update various plugins and outdated versions of both Joomla and WordPress in the past. Whether this new update is strictly for the Slider Revolution plugin or not is unknown, however, many plugins are vulnerable to exploitation if they aren’t updated or removed completely. In fact, in addition to the Slider Revolution fiasco, another RevShare plugin was also affected in 2014—ShowBiz Pro, a carousel slider plugin, suffered the same fate that allowed attackers to access the servers of all the sites using the old versions of both plugins.
This notice also serves as a reminder to site owners that it is important to ensure their content management system and all other plugins are up-to-date. Many other popular plugins have also experienced major exploitation in the last couple years, particularly in the spring of 2015, by using XSS to run malicious code. Plugins like Yoast, WP Super Cache, Shareaholic and a handful of popular plugins for SEO were all affected because they weren’t updated in a timely fashion. In some cases, developers updated the plugin, though never notified site owners that they needed to install the update to prevent attacks. Webmasters can prevent similar situations by installing an updated plugin immediately or configuring automatic updates altogether.
If a site does get hacked, however, Google has the ability to flag it in the search results as being unsafe to visit. Once this is done, they can remove it until the problem is fixed. It is worth noting, however, that if you have been hacked through the use of this plugin, simply updating the plugin will not remove the hacked content from your site. In this case, you’ll still have to manually remove the content separately.