WordPress insecurity - a curable condition?
Security measures on the popular blogging platform are under the microscope - is there a solution to the rising compromises?
New research from IBM X-Force has found that 68 per cent of compromised hosts ran WordPress versions less than six months old, but 40 per cent run a version less than 30 days old, or in other words there are a large number of successful website compromises in a relatively short window. In February 2017, a WordPress flaw allowed hackers to deface an estimated 1.5 million blog pages in just a few hours.
When we think about cyber security there are a host of keywords and technologies that spring to mind, many to do with enterprise security, or securing the perimeter, or even employee education. One that perhaps doesn’t spring to the fore is WordPress. However, there are a variety of reasons that perhaps it should.
The free to use, open source content platform is more popular than ever, with stats from March 2016 claiming that it powers 26.4 per cent of the Web, and is by far the most used CMS, with a 59.4 per cent market share. Not only that, there are more than 500 sites being created on WordPress every day.
These impressive stats have made WordPress a key target for hackers, just as the huge install bases of Windows and Android have made them the biggest targets in their areas. A compromised, otherwise legitimate WordPress site is an ideal host for malware, for cybercriminals running phishing scams with a ransomware payload for example.
WordPress keeps a regular flow of updates to stem the tide of vulnerability exploitation, but recent figures from IBM X-Force found that website operators are sometimes slow to update, with many of the dated WP versions are still in widespread use.
Although WordPress automated updates in October 2013, many admins disable this feature to prevent important plugins crashing or custom CSS going awry unexpectedly. However, plugins are one of the major weaknesses of the WordPress platform, with the vast majority of attackers (70 per cent) choosing the content folder where plugins and themes are kept as their starting point.
Ilia Kolochenko, CEO of web security firm, High-Tech Bridge, states: “Vulnerable WordPress plugins are a very well-known source of vulnerabilities. Nowadays, critical RCEs and Arbitrary File Upload flaws are quite rare, but as we can see - they still exist and complement less dangerous but more frequent XSS and SQL injections.
Different from core WordPress installation, that is maintained and supported by team of professionals, third-party plugins are often abandoned or release security patches with a significant delay. The best way to avoid security problems with plugins would be to stop using them, but if there is no such possibility, WordPress owners should rename or hide admin directory, implement two factor authentication (however, it won’t save from RCE) and hide the admin panel. A simple WAF can be also a very good idea (however, it will not help against advanced vectors of XSS). Obviously, core WP installation and all updatable plugins should be maintained and up to date.”
IBM researchers found that although admins are updating their sites, they are still being caught out, as the graph shows:
There are two possibilities proposed by the researchers - either attackers are taking advantage of WordPress vulnerabilities very quickly after they are made public, or there is a particularly active market for WordPress zero-days, which is enabling compromise without the need for reverse-engineering a security fix - a potentially ominous situation.
In a parallel Android-flavoured universe, Google recently quadrupled its top-level bug bounty reward for zero-day flaws, now set at $200,000 (£156,000) for critical vulnerabilities. Meanwhile a remote kernel proof-of-concept could leave you $150,000 better off, up from $30,000. Maybe there are learnings here for WordPress about the value of vulnerabilities in 2017...or maybe it was down to the plugins all along...