WordPress offers small and midsized organizations an easy platform for website design. At the same time, this easy-to-use platform is providing a fruitful target for cybercriminals.
WordPress has evolved as a highly popular content management platform, accounting for about one in five websites, according to Web Technology Services. That’s 72.4 million websites worldwide as of March 2012, according to Yoast.
The vast popularity of the platform has inspired developers to create more than 25,000 plugins that extend the functionality of WordPress, Maty Siman, founder and CTO of CheckMarx, told IFSEC Global in an interview.
With popularity comes vulnerability. The server-based profile of WordPress makes it a compelling target for cybercriminals who want to leverage the always-on servers running the platform as hosts for spambots and other malicious activities.
With that in mind, CheckMarx decided to research the security of the top WordPress plugins, and the results were somewhat dismal. Yesterday, the company released a report titled “The Security State of WordPress’ Top 50 Plugins,” which outlines the results.
The company’s research lab found that 20 percent of the 50 most popular WordPress plugins were vulnerable to common Web attacks, such as SQL injection. Worse, seven out of the top ten most popular plugins contained vulnerabilities. “We were overwhelmed with the number of vulnerabilities,” Siman told us. “The seven out of ten, which could be hacked at any moment, represents 1.7 million downloads.”
For hackers, these vulnerabilities are a virtual field day. The report explains:
Hackers can exploit these vulnerable applications to access sensitive information such as personally identifiable information (PII), health records and financial details. Other vulnerabilities allow hackers to deface the sites or redirect them to another attacker-controlled site. In other cases, hackers can take control of the vulnerable sites and make them part of their botnet heeding to the attacker’s instructions.
A quick glance at the headlines yields plenty of examples. The TimThumb LFI vulnerability, for example, infected 1.2 million websites and resulted in the redirection of 200,000 WordPress pages to rogue sites.
At least in part, the breadth of the problem can be traced to coders who lack security consciousness, focusing on a race to new features rather than ensuring that the code is secure, says Siman.
By following a few simple steps, WordPress users can increase their own safety:
- Download plugins only from reputable sources such as WordPress.
- Scan plugins for security risks. Since all extensions are open-source, they can be readily scanned for vulnerability.
- Make sure that your plugins are up to date. “If a vulnerability has been fixed, and you haven’t updated it, it’s a problem,” Siman warns.
- Remove any unused plugin from your system, as it may house a vulnerability.
CheckMarx plans to continue to follow the top 15 plugins to track whether vulnerabilities are being plugged.
Free Download: The Video Surveillance Report 2023
Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!
Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.
The company’s research lab found that 20 percent of the 50 most popular WordPress plugins were vulnerable to common Web attacks, such as SQL injection.
@Hailey, thanks for the post. Is there any way to check if the particular plugin we are using is prone to vulnerabilities ?
Hailey what you said about popularity leading to hacks is very true. Just ask Microsoft. WordPress has been gaining in popularity for some time and it was only a matter of time until the platform was modified to be used as a attack vector. You always want to check out the sources of your plug ins to besure that were never at risk of being compromised.
@Sunita, check out the top 50 listed in the report–and that will tell you about the most common ones. If you have a plug in not on the list, there are good security code scanners that can alert you to potential problems.
@Jonathan Poon, it truly is a conundrum. You want to use proven products that work–but those are the ones that hackers are highly aware of as well. Choosing the right source for code is a critical first step.
Other than securing plugins I found a nice article at esecurity planet about things to check about your wordpress install to make it more secure. Anyone who is interested in this article would probably be interested in this as well.
http://www.esecurityplanet.com/open-source-security/top-5-wordpress-vulnerabilities-and-how-to-fix-them.html
Thanks for the link, Jonathan. I use WordPress so this will definitely be helpful. Even if you don’t use the platform right now, it might still be beneficial to read this article just for informing and educating yourself.
True, true. It’s sad, but this was bound to happen. The larger the userbase, the bigger the chances that it’ll be made a target since it’s in the radar of scammers and hackers. It’s best to be vigilant and cautious at all times. The number one tip is to definitely just install plug-ins from the official site. It might not have all the plug-ins you may want, but it’s your safest bet.
myself I use to use wordpress but for now I’m a bit away from it… as too many problems… but do not get me wrong WordPress is a good platform solution… but maybe not for me for now…
yes, same I say to my customers security patches, plug-ins always need to be installed better safe than sorry… but rule of the tumb larger database always attract hackers…