Hacking WordPress for Fun and Profit, Part 2
How attackers are getting into millions of WordPress websites and how to prevent this?
There are an estimated 172 million active websites on the internet, of which just over half use WordPress software. It is by far the world’s most popular content management system; and almost certainly the most attacked web application in the world.
This is the second of a two-part series examining why and how WordPress is a target for cybercriminals. Part One examined ‘why’ WordPress is a target. Now, in Part Two, we discuss ‘how’ it is targeted, and what site managers can do to stay safe.
Brute force password attacks
All active and validated access credentials are a target for cyber criminals. If the username is known, the simplest attack is a brute force attack, which attempts different passwords until the correct one is found.
Since users still tend to choose simple and common passwords, attackers often use automated scripts to attempt the 10 or so most popular passwords. Chances are, one might succeed. If not, the cyber criminal simply moves on to the next target web site and starts again.
More than 190,000 WordPress sites being targeted per hour at its peak
It doesn’t have to be a simple attack. December 2017 saw one of the most severe and coordinated distributed brute force campaigns ever encountered, with more than 190,000 WordPress sites being targeted per hour at its peak.
The latest variation on brute force attacks is called credential stuffing. Typically, these attacks will use a botnet to attempt known credential pairs (username and clear text password) from huge databases of previously stolen credentials. These attacks can be targeted at any industry sector, but are mainly used against the finance (not so often WordPress) and retail (often WordPress) sectors.
Credential stuffing attacks are a variation on traditional brute force, and particularly target the retail and finance sectors
According to Akamai, one credential stuffing attack generated 300,000 malicious login attempts per hour. The sheer size of some attacks can have a denial of service effect on the targeted website.
According to Builtwith.com, the most popular WordPress ecommerce plugin, WooCommerce, is used by 21% of the top 1 million online stores, making WordPress an attractive target for credential stuffing.
The best defense against this sort of attack is a challenge from the website (or a third-party service provider such as Akamai or Cloudflare) to check that the login attempt comes from a genuine browser and is neither a script nor a botnet. The problem is that such challenges invariably introduce latency for the genuine visitor – who might object to the delay and go elsewhere.
WordPress plugins can be a significant vulnerability in themselves. This usually arises with poorly-supported or abandoned plugins; that is, a disproportionate number of WordPress plugins can be categorized as ‘legacy apps’ with all the problems associated with legacy apps.
An investigation in 2017 found that of WordPress’ 37,000+ available plugins at the time, more than 17,000 had not been updated for at least two years. The plugin “Ultimate Google Analytics” currently has over 50,000 active installations, but has not been updated for 11 years.
There are now more than 50,000 WordPress plug-ins, many of which will become unsupported legacy apps within a couple of years
The number of available plugins continues to grow. The official WordPress site claims 51,131 plugins at the time of writing. Many of these will rarely and eventually never be updated – meaning that any vulnerability will never be fixed.
But even well-maintained plugins can add vulnerable functions to a website. For example, several plugins exist to allow for ‘hidden pages’, visible to site creators and administrators but not to general users. If attackers gain use of an abandoned WordPress site with this functionality, they can use those hidden websites to host malware or illegal data.
Recently exploited vulnerabilities
Vulnerable plugins are not an issue to be taken lightly. The security risks that can arise from plugins include SQL injection, RCE attacks, privilege escalation and exposure of sensitive information. The legacy plugin is not the only thing to watch out for; incompetence or malice can also lead plugin creators to leave a flaw in their plugins. In December 2017, WordPress discovered a backdoor in a Captcha plugin after its original creator sold the plugin to a new company. This left 300,000 WordPress sites exposed.
300,000 WordPress sites were backdoored after a WP Captcha plugin was sold to a new company
This month (September 2018) the security firm Malwarebytes discovered “a larger-than-usual number of WordPress sites being hijacked” through vulnerable plugins. Analysis, it added, discovered a campaign that had compromised thousands of WordPress sites in September alone. The primary purpose of the campaign was to divert the hijacked website’s visitors to tech support scam sites.
In March 2018, 50,000 WordPress sites were found to be infected with cryptojacking malware
In March 2018 it was reported that as many as 50,000 WordPress sites may have been infected with cryptojacking malware. Ilia Kolochenko, CEO of High-Tech Bridge, commented at the time, “I am not surprised. WordPress is the most popular CMS in the world, and if properly configured and maintained, it is quite secure compared to other systems. However, many WordPress installations are not updated for months or even years – let alone the plugins that contain a great wealth of unreported and thus unpatchable vulnerabilities allowing takeover of the website in less than a minute.
“The advantage for the attackers is that attacks against WordPress can be easily automated and run on a large scale. We will likely see a steady growth of such attacks: vulnerable WordPress installations and profitability of miners is an explosive cocktail."
The cumulative effect of a large attack surface (the millions of WordPress sites) and vulnerable plugins is astonishing. According to SiteLock, WordPress sites using plugins are twice as likely to be infected with malware as non-CMS sites. Furthermore, the average website is attacked 44 times every day. One per cent of all the sites it sampled were infected with malware, and 12.5 per cent of all discovered malware comprised a back door.
Signs of compromise
In some cases, it will be obvious when a WordPress site is compromised. Unauthorized content appearing, the site being flagged as malicious by Google or being taken offline entirely by the hosting provider, are all obvious indicators. This doesn’t help with more insidious attacks that may have gone undetected, however.
Not being flagged by Google does not mean you haven’t been compromised
It’s also worth noting that not being flagged by Google does not mean you haven’t been compromised. According to Sitelock, only 19 per cent of infected websites are flagged by the search engines.
There are paid services to assist with scanning WordPress sites. Generally, these will either scan the source code or the HTML served from the website. Different forms of attack can be hidden in either one, so it may be necessary to invest in two scanning services or one that accounts for both source code and output.
Site creators can take less costly measures of their own to check for security issues. It’s useful to visit your own site as a visitor frequently, to make sure the pages appear as they should and that there are no suspicious anomalies. Monitor your website for spikes in traffic – sudden and dramatic spikes could indicate that malware or a malicious redirect has made its way onto your site.
It’s a good idea to make use of free services such as VirusTotal or Spamhaus, which can compare an URL or IP address against lists of known spam- or malware-distributors, to make sure your site hasn’t been flagged.
Strong passwords and least privilege remain an important defense for WordPress sites
The first security step, as with everything else, is keeping user passwords as secure as possible. With WordPress, this applies to both you as the site owner/administrator and to any non-privileged members of your site. WordPress allows the creation of community sites, which means you may have dozens or even hundreds of users. Ecommerce sites may have thousands. It’s easy to ensure your own password is secure, but you have no such control over other users. Consider finding an actively-supported, secure plugin to manage users’ passwords and enforce a certain level of security.
Least privilege for users
Managing your site’s users extends to observing the principle of least privilege; never give users more access rights to any more functionality than they need. If your site allows for content uploaders, do not give the uploaders full administrative access; if your site incorporates a user forum, do not let users have access to any wider site functionality.
A WAF – Web Application Firewall – will provide a strong layer of security against direct attacks on the site’s code. WordPress does not natively provide this functionality, and site creators must depend on plugins or an external online service. The main issue with external WAFs is that they are highly configurable, meaning that they take a great deal of time to learn and use effectively. Implementing a WAF as a WordPress plugin piles the usual plugin issues on top of this, giving the site creator yet another element to keep updated or replaced if the creator stops supporting it.
Finally, keeping WordPress and all plugins up to date is vital. However, this can present its own difficulties. Even active plugins may not be able to update in time for core WordPress updates. This can impair your site functionality indefinitely if there are major changes to the API. This in turn can leave you with a difficult decision: wait for your plugins to be updated, losing functionality in the meantime, or leave the WordPress core un-patched until your plugins have caught up.
Finally, keeping WordPress and all plugins up to date is vital
This second option can carry significant security risks if the patch was to fix known vulnerabilities. The updates can be reverse engineered by attackers to find the original vulnerability, and then used against any site that has delayed updating.
In some cases, it can be good practice not to update plugins immediately. Updates can cause conflicts with other plugins that take time to surface. If the current version is reasonably secure, it can be worth waiting to see if any new security vulnerabilities arise because of the update.
WordPress and High-Tech Bridge
Nobody is perfect, and as many measures you take to keep your WordPress site secure and updated, there will probably be things you have missed. Simple source code scanning services can only go so far; for comprehensive security scanning and penetration testing, a more sophisticated solution is required. Immuniweb SCA helps you keep WordPress and other CMS up to date and detects vulnerable components of your web applications. The free Immuniweb WebScan can check any domain for security issues. It provides free, in-depth testing of any domain, allowing you to quickly identify any security flaws in your WordPress site.