Author Bio ▼

Hailey Lynne McKeefry has spent more than 23 years writing about technology and business. She began her career as an editor at such periodicals as Macintosh News, EBN, and Windows Magazine. After more than 16 years as a freelance journalist, she has written about a broad variety of technology topics, with a focus on security, storage, healthcare, and SMBs. Living in the heart of the Silicon Valley, Hailey has written for many top business-to-business publications and Websites including Information Week, CRN, eWeek, Channel Insider, Channel Pro, Redmond Channel Partner, Home Office Computing, and TechTarget. She graduated from the University of California at Santa Cruz with a BA in literature.
June 19, 2013

Sign up to free email newsletters


The Video Surveillance Report 2021

Hackers Target WordPress Vulnerabilities

WordPress offers small and midsized organizations an easy platform for website design. At the same time, this easy-to-use platform is providing a fruitful target for cybercriminals.

WordPress has evolved as a highly popular content management platform, accounting for about one in five websites, according to Web Technology Services. That’s 72.4 million websites worldwide as of March 2012, according to Yoast.

The vast popularity of the platform has inspired developers to create more than 25,000 plugins that extend the functionality of WordPress, Maty Siman, founder and CTO of CheckMarx, told IFSEC Global in an interview.

With popularity comes vulnerability. The server-based profile of WordPress makes it a compelling target for cybercriminals who want to leverage the always-on servers running the platform as hosts for spambots and other malicious activities.

With that in mind, CheckMarx decided to research the security of the top WordPress plugins, and the results were somewhat dismal. Yesterday, the company released a report titled “The Security State of WordPress’ Top 50 Plugins,” which outlines the results.

The company’s research lab found that 20 percent of the 50 most popular WordPress plugins were vulnerable to common Web attacks, such as SQL injection. Worse, seven out of the top ten most popular plugins contained vulnerabilities. “We were overwhelmed with the number of vulnerabilities,” Siman told us. “The seven out of ten, which could be hacked at any moment, represents 1.7 million downloads.”

For hackers, these vulnerabilities are a virtual field day. The report explains:

Hackers can exploit these vulnerable applications to access sensitive information such as personally identifiable information (PII), health records and financial details. Other vulnerabilities allow hackers to deface the sites or redirect them to another attacker-controlled site. In other cases, hackers can take control of the vulnerable sites and make them part of their botnet heeding to the attacker’s instructions.

A quick glance at the headlines yields plenty of examples. The TimThumb LFI vulnerability, for example, infected 1.2 million websites and resulted in the redirection of 200,000 WordPress pages to rogue sites.

At least in part, the breadth of the problem can be traced to coders who lack security consciousness, focusing on a race to new features rather than ensuring that the code is secure, says Siman.

By following a few simple steps, WordPress users can increase their own safety:

  1. Download plugins only from reputable sources such as WordPress.
  2. Scan plugins for security risks. Since all extensions are open-source, they can be readily scanned for vulnerability.
  3. Make sure that your plugins are up to date. “If a vulnerability has been fixed, and you haven’t updated it, it’s a problem,” Siman warns.
  4. Remove any unused plugin from your system, as it may house a vulnerability.

CheckMarx plans to continue to follow the top 15 plugins to track whether vulnerabilities are being plugged.

Keep up with the wireless access control market

Download this free report to find out more about:

  • The current state of wireless access control solutions in the market
  • The developing ‘move to mobile access control’ trend
  • Views on open architecture and integration
  • The growing use of the cloud and ACaaS to manage access systems
  • How important is sustainability to the industry?
Notify of
Newest Most Voted
Inline Feedbacks
View all comments
June 23, 2013 3:18 pm

The company’s research lab found that 20 percent of the 50 most popular WordPress plugins were vulnerable to common Web attacks, such as SQL injection.
@Hailey, thanks for the post. Is there any way to check if the particular plugin we are using is prone to vulnerabilities ?

Hailey Lynne McKeefry
Hailey Lynne McKeefry
June 25, 2013 8:51 pm
Reply to  SunitaT

@Sunita, check out the top 50 listed in the report–and that will tell you about the most common ones. If you have a plug in not on the list, there are good security code scanners that can alert you to potential problems.

June 24, 2013 10:59 am

Hailey what you said about popularity leading to hacks is very true.  Just ask Microsoft.  WordPress has been gaining in popularity for some time and it was only a matter of time until the platform was modified to be used as a attack vector.  You always want to check out the sources of your plug ins to besure that were never at risk of being compromised.

Hailey Lynne McKeefry
Hailey Lynne McKeefry
June 25, 2013 8:52 pm
Reply to  JonathanL

, it truly is a conundrum. You want to use proven products that work–but those are the ones that hackers are highly aware of as well. Choosing the right source for code is a critical first step.

July 2, 2013 7:30 am
Reply to  JonathanL

True, true. It’s sad, but this was bound to happen. The larger the userbase, the bigger the chances that it’ll be made a target since it’s in the radar of scammers and hackers. It’s best to be vigilant and cautious at all times. The number one tip is to definitely just install plug-ins from the official site. It might not have all the plug-ins you may want, but it’s your safest bet.

July 2, 2013 2:38 pm
Reply to  ITs_Hazel

yes, same I say to my customers security patches, plug-ins always need to be installed better safe than sorry… but rule of the tumb larger database always attract hackers…

June 27, 2013 10:30 am

Other than securing plugins I found a nice article at esecurity planet about things to check about your wordpress install to make it more secure.  Anyone who is interested in this article would probably be interested in this as well.

July 2, 2013 7:29 am
Reply to  JonathanL

Thanks for the link, Jonathan. I use WordPress so this will definitely be helpful. Even if you don’t use the platform right now, it might still be beneficial to read this article just for informing and educating yourself.

July 2, 2013 2:32 pm
Reply to  ITs_Hazel

myself I use to use wordpress but for now I’m a bit away from it… as too many problems… but do not get me wrong WordPress is a good platform solution… but maybe not for me for now…