N O D E F L A M E

When running Google Lighthouse tests for Best Practices, WordPress users will run into a 7 point deduction for Includes front-end JavaScript libraries with known security vulnerabilities. If everything else is order on your site for Best Practices, you’ll probably have a score of 93:

[SOLVED] Google Best Practices:

The associated directive is, “Some third-party scripts may contain known security vulnerabilities that are easily identified and exploited by attackers. Learn more.”

You may be tempted to think this is coming from a plugin or your theme (which is still worth checking), but WordPress Core actually contains this Jquery script. Version 1.12.4 was released way back in May, 2016.

The 2 exploits that Google’s Best Practices are referring to pertaining to this core script are Cross-site Scripting (XSS) (when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source, read the full report here) and Prototype Pollution (the ability to inject properties into existing JavaScript language construct prototypes, such as objects, read the full report here)

Why doesn’t WordPress Core just update to the latest JQuery version? Unfortunately, it’s not backwards compatible with 1.12.4 so forcing an update will cause lots of sites to break. There is an ongoing discussion here that tracks when the upgrade should take place within WordPress Core.

Thankfully, you don’t have to wait. You can use a free plugin to update just that JS without having to get dirty with your site code. The plugin is called jQuery Updater.

Bare in mind, if you have some older dependencies, using this plugin may cause JS errors in your console and certain site functionality to stop so be sure to try it out on a staging copy of your site first or at least when you’re at a low traffic time.

Related Articles

Copyright © 2019 Nodeflame