WordPress – Understanding its True Vulnerability

Everyday we manage thousands of clients running a wide range of applications, built across a number of different platforms. It should be of no surprise that a good number of them leverage the WordPress platform. This in itself can lead folks to scream from the mountain tops of the applications insecurities, we’re here to say that is just not so.

With Popularity Comes A Target

Many know, but yet many more don’t, that WordPress dominates rival CMS applications by significant margins. We are not saying this in terms of functionality or breadth, but rather by end-user adoption. We will not dabble with why and how it has accomplished this, but rather on what this means to you, the end-user.

As you would expect, with its established fame also comes attention. Unfortunately, on the web, this also means attention from the underbelly of the virtual domain, black-hat hacker’s intent on turning something good into something evil.

Why Focus on WordPress?

It’s simple, it is widely adopted and the ability to reach millions far exceeds the time and energy required on other applications.

So WordPress is Vulnerable?

It is our opinion that anything that lives on the web becomes vulnerable with time. That being said, at this time, we don’t find WordPress, version 3.3.1 to be the root cause of the infections we see every day. This is not the same of older versions, but that is to be expected with any platform, to think otherwise is foolish. It is also one of the reasons updates are so important.

The WordPress core development team and review process has matured tremendously over the years, such that they deserve accolades for their ability to push timely patches when security issues are identified. Although inefficiencies still exist in a number of areas, the greater issue we want to focus on is the end-user responsibilities.

Why so Many Infected WordPress Sites Then?

Today what we find is that no longer is the application the true cause, the paradigm has shifted, and now the end-user is often the vulnerability.

The Webmaster of Today

We are in the age of websites for all, for a low yearly fee of $34.99, and easy hosting plans starting at $5.99 a month. It is no longer necessary to hire development firms to offer overqualified resources to apply updates and make content changes. Pffff, I can do that myself. What is an update anyway?

Unfortunately, as sarcastic as that may sound, it’s the sad truth. Everyday we fight malware, Monday – Sunday, midnight to midnight, and the trend is getting stronger. End-users are sloppy, everyone is anxiously jumping at the opportunity to use an application like WordPress for their blogging and website needs, with little regard to the dangers of the interwebs. When a hack occurs, as is human nature, the first thing is to look at everything but the yourself, in this case WordPress.

Let’s take a minute to look at the top reasons for the infections we see today:

  • Poor Credential Management (FTP, SFTP, SSH, WP Admin, Cpanel, DB, etc..)
  • Poor System Administration
  • Soup Kitchen Server – Housing Test, Staging and Production Sites
  • Out of Date Software – PHP, WP, Plugins, Themes, DB
  • Lack of Web Knowledge
  • Lack of Security Knowledge
  • Use of self-proclaimed “experts”
  • Cutting Corners – Using unvetted Plugins, Themes and Scripts (Often Infected and housing backdoors)

Everything mentioned above can be easily addressed. By far, one of the worst culprits of infections today is the incredible number of Soup Kitchen servers. The lack of awareness and understanding of the potentials of cross-site contamination is jaw dropping. Understand it better here.

Pulling it Together

What most website owners do not understand is that what makes WordPress so useful and cost-effective is also its biggest weakness. WordPress is a highly extensible application that allows your average Joe to easily make changes, add features and manage content. This ease of use, while great, puts a tremendous amount of responsibility on the end-user, so much so that they are often the root of their own problem.

Thought of the day: The WordPress team is doing their part to ensure your security on the web, can you say the same thing?

Scan your website for free:
About Tony Perez

Tony is the Co-Founder / CEO at Sucuri. He shares a deep passion for Information Security, Business and Brazilian JiuJitsu. He approaches the business the same as he trains BJJ, one move at a time and gently. You can follow him on twitter: @perezbox.