Understanding the WordPress Security Plugin Ecosystem

As a child, did you ever play that game where you sit in a circle and one person is responsible for whispering something into one persons ear, and that message gets relayed around the circle? Wasn’t it always funny to see what the final message received would be? Oh and how it would have morphed as it was processed and conveyed by each individual in the group.

This is what I see when I look at the WordPress Security Ecosystem.

The biggest challenge the ecosystem faces is product / service confusion. This is compounded by a variety of factors. I often categorize them, generally into two buckets – deliberate and non-deliberate confusion. For me deliberate product confusion comes often by marketeers and those looking to make a quick buck on what they perceive to be the next virtual gold rush. While non-deliberate is being introduced by those that mean well, were once affected, and have come up with a genuine solution that likely addresses a very narrow issue.

An easy way to better appreciate this is to look at the WordPress Security Plugins specifically, as it’s tangible and easier to truly appreciate the nuances.

Contrary to popular belief, not all plugins are the same or created equal and you can’t compare them as they would not be an apples to apples comparison.

Interestingly enough, there are often pretty unique differentiating factors between each of the security plugins in the market, although in many cases there are one to one correlations. Human nature is also one of the contributing factors to confusion, as humans we are often configured to go the easiest route. We’re always looking for the one with the biggest audience, or the one that is pushed on us the most. If everyone else is using it, I should to. Rarely do we truly understand or give much thought to this phenomena.

The WordPress Security Plugin Ecosystem

If you were to go to the WordPress repository and do a quick search for Security you will likely find over 2,471 plugins that all have some keyword associated with Security. When writing this post, there were 33,213 plugins in the repo, that’s roughly 7% of the available plugins in the repo. If you do a search on google for WordPress Security Plugin you will find somewhere upward of 7,230,000 results on the topic.

How is any WordPress user supposed to make sense of this?

Below I will introduce four distinct categories I want you to think about when considering a WordPress Security Plugin. If you can leverage these categories, it will hopefully 1) allow you to ask better questions, 2) employ the right solution for your needs and 3) provide better clarity into the tools you’re employing.

WordPress Security Plugin Categories

First we have to understand the type of plugins that exist. Yes, there is a very distinct categorization within the security domain, and each of the plugins fit into one domain predominantly, some are multi-faceted, overlapping other domains, but few actually do this well.

If I label a security plugin below in a specific category it’s because from my tests and reviews it’s where I see it fit. It doesn’t mean that the developer would not like it to fit in others, I just felt it was most effective where I place it. It also doesn’t mean that it won’t satisfy your specific situation, my writing is more general and is meant to address security as a whole, not specific configurations.

Here is a breakdown of the WordPress Security Plugin categories:

Sucuri- WordPress-Security-Plugin-Ecosystem

Sucuri- WordPress-Security-Plugin-Ecosystem

To understand this categorization you have to understand the Information Security wheel. The common wheel has always been defined by Protection, Detection, and Response. For Websites, and WordPress specifically I am extending it to include functions that large enterprise recognize and account for, but everyday website owners don’t. It’s such a problem, it deserves special attention.

Our categorizations are based on this model:

Sucuri - Website Security Wheel

Sucuri – Website Security Wheel

As I mentioned before, rarely do you have one single plugin that satisfies all aspects of security. It is imperative you understand this as a website owner. Understanding the security lifecycle helps you answer the question – which WordPress Security plugin am I looking for?

WordPress Security Plugin – Prevention Category

These plugins look to provide some level of prevention, otherwise known as a perimeter defense for your website. Their objective is to stop hacks from happening. The buzz word today is Website Firewall. It’s the idea that you can function as a filter of sorts for all incoming traffic to your website. The concept of firewalls is not new, they’ve been employed for years across the IT spectrum. Almost all the routers you are using to read this blog are employing some form of a firewall.

The biggest weakness you will find with these type of plugins is they are often 1) behind the power curve and 2) are limited to the working at the application layer. In other words, the attack has to hit the server for them to respond.

There are a few plugins that like to employ the terminology of a Website Firewall, but are far from it. Others actually function very well. The BlogVault team put together a very good article on this subject a few weeks back, they were focused on a different issue, but their point is good. The types of tests they ran were in fact indicative of the types of website attacks a Firewall should prevent.

Things like:

  1. Remote Command Execution
  2. Cross Site Scripting
  3. Remote File Inclusion / Local File Inclusion Attacks
  4. Exploitation of Software Vulnerabilities
  5. Denial of Service (DoS)
  6. Brute Force Attempts

Why these are so important to you as the end-user is best illustrated in some of the latest WordPress Plugin Security disclosures, those like the Slider Revolution Plugin, Custom Contact Forms Plugin, MailPoet Newsletter Plugin, or the recent abuse of XMLRPC in WordPress core.

What you will see however is this evolution in these plugins leveraging a concept of Virtual Patching. In short, as these disclosures get released, the plugin developers will scurry to push out a plugin update and say that you are now patched and protected.

The big thing you hear these days is specific to Brute Force protection. In the past the big solution was the Limit Logins plugin, now it’s a staple in almost security plugin with exception to the Sucuri one (we’ve removed it) from ours. You then saw really great tools like BruteProtect, which was then acquired by Automatic, and will likely be pushed for free to all JetPack users. You also have a variety of others like iThemes Security, WordFence, Login Security Solutions and so many more that are trying to tackle this Brute Force challenge.

This however should not be confused with what we categorize as an effective prevention plugin, this hyper focus on one very small attack vector provides a very false sense of security to most endusers. It’s why we don’t categorize focus on that specific feature a prevention security plugin.

WordPress Security Plugin – Detection Category

The act of Detection has always been the red-headed step child of security, not just in WordPress but in Security at large. It never gets the attention it deserves, and often the response is, “If I am protecting, why do I need to be detecting?” The answer is actually simpler than most realize, yet many refuse to accept it.

Protection is not a 100% solution, never has been, and never will be. Imagine a world where your Home or Company Firewall was 100%, why would you need an AntiVirus product?

Protection is great for the known issues, not so great for the unknown issues. What we all know, or should, is that with enough time and resources, crackers have the ability to find new points of entry (i.e., identify new attack vectors). This is where things like Detection come into play. While we have the utmost confidence in our ability to protect, we still want to ensure we have a mechanism available to use to detect in the event anything gets past our perimeter defense.

These plugins attempt to do this. They do it via a number of mechanisms, some do traditional File Integrity Checks, some do malware scans, some combine the two. As for which one is better? It just depends? The person that used one plugin and used it to detect their one infection will jump over mountains to say how awesome that one is. The one that used another and was successful with that one, will likely do the same thing. It starts to come down to who has the bigger audience, the bigger evangelists.

You will find some that are free, and some that are not so free. Some are fully automated, and some are supported by humans. Where these plugins often become the big hits is if they are able to satisfy your immediate problem, that problem being if you are infected.

What you have to remember is that there are many different types of infection and symptoms to account for. Do you fit any of these symptoms?

  1. Google, Yahoo, Bing have Blacklisted your website
  2. Clients are complaining that your website is being flagged by their AntiVirus
  3. Your host has disabled your website because of a Security issue
  4. Google / Bing search is showing Viagra, Levitra or other Pharmaceutical ads in the search results
  5. You are plagued with reinfections
  6. You see “This site is Hacked” or “This site may be compromised” on Google search
  7. People are complaining that your website is redirecting on their mobile devices, notebooks, desktops
  8. Something just feels off – you’re seeing weird activity, things are popping up or just want a second pair of eyes

These are but a small subset of issues that Detection plugins that exist today will do little to address, but are imperative to you as a website owner. Remember also that the effectiveness of these plugins is strictly determined by the order in which they are installed.

For instance, if the plugin is based on Integrity checks, then it needs to be installed on a fresh install so that it can create a baseline to which to check from.

This category can also be extended to account for what are known as Vulnerability scanners, but with these you have to be very careful. Very few vulnerability scanners actually do vulnerability scans. Many will simply look for versions of themes and plugins that have known issues, and use their plugin to identify if you have it installed. Those that do try to scan for real vulnerabilities live, are often ineffective because vulnerabilities isn’t just about the code, it’s about stress testing as well. The tool is meant to be part of a process.

More often than not, I always recommend non-tech / non-dev users stay clear of vulnerability scanners. They often generate a lot of noise and when it comes down to it, you really have no idea what to do next. It causes more headaches than you will want to deal with.

WordPress Security Plugin – Auditing Category

If Detection is the red-headed step-child, then Auditing is the Foster kid that no one wants. It’s the harsh reality. We live in a time where everything is supposed to be easy. You install this plugin and you have a carousel. You install this plugin and all your posts go to all your favorite social outlets. What’s this thing about auditing? You mean I have to actually actively monitor my websites activity, like really administer the website?

The answer is a resounding YES.

Contrary to popular belief, security is, fortunately / unfortunately, not a set it and forget it kind of thing. You have to invest time into the process. Get acclimated with what is going on, who is logging in, what is changing, when are they changing…

As the administrator of your website you should be asking questions like:

  • Who is logging in?
  • Should they be logging in?
  • Why are they changing that post?
  • Why are they logging in when they should be sleeping?
  • Who installed that plugin?

What many don’t realize is that through basic administration, like auditing, you can sometimes achieve greater success in both identifying, thwarting or responding to a compromise.

Food for thought.

WordPress Security Plugin – Utility Category

This is perhaps the widest bucket of security plugins, and the one that most of you reading this post likely employ. It’s perhaps the most diverse bucket of the entire WordPress Security Plugin ecosystem. There are only a few big ones that stick out, and few specific plugins that can be easily wrapped into this category.

We also reserve this category for toolsets like Backups or Maintenance plugins that address specific security functions. Think plugins that allow you to create backups, store locally or remotely, or plugins that allow you to administer and manage your website remotely. This of course is one small subcategory within this group.

The biggest plugins in this category are those we consider to be the swiss army knives of the security landscape. These plugins can be exhaustive in their security configuration options. They have every possible configuration you could or might ever want to employ. These plugins are not for the faint of heart.

I like to categorize these plugins as the Do It Yourself (DIY) security plugin. Similar to those TV shows that my wife adores, you know, the ones where couples try to refurbish a house or landscape their backyard. Think of these plugins as your hardware store, or your very fancy toolbox, for the everyday user they will likely cause more issues than they are worth, but for the active administrator it might be the thing you have been looking for.

Especially in the WordPress community, built by those that love to tinker, these suites fall into that same user mindset. If there is something you want to do, but don’t want to it manually, it’s likely one of these swiss-army knifes of the WordPress Security Plugin ecosystem will enabled you to do it. If it doesn’t, I can assure you they’d love to know what it is so that they can add it as a feature.

Which is Better For Your WordPress Security?

This is undoubtedly the question that many are asking, and likely the only reason you have read this far. The harsh reality is though, there ins’t a clear answer and the best answer is dependent on your specific scenario. I enjoy reading the hacked and malware forums on .org because it is never more blatenly obvious to me how disconnected we are when it comes to security.

Rarely do we truly understand the users issue, we simply regurgitate what we have heard, not from experience, but from what others have said. We are so apt to not promoting an effective solution, regardless if it’s actually good for the user, because of sensitivities, yet we forget what the end-user is going through. We would rather spent hours / days / weeks having them try 150 different things, than encouraging them to employ something that could get them functioning quickly. This not just reserved for the .org, but for various WordPress communities like Facebook, Twitter, etc…

What it comes down to is what kind of end-user are you? What state of mind are you in and what are you looking to accomplish?

Here are a few different persona’s, or audience types, that you might fall into, and depending which is applicable to you the guidance and insight will be slightly different.

Here are 7 different questions that you can ask yourself when looking for a WordPress Security Plugin, they are not meant to be the only questions, but likely the most common:

Your Security Persona Defines The Best Solution

1. Are you the business owner that only cares about your website running and don’t want anything to do with security?

If so, then you’re likely not going to want to leverage any of these plugins and leave your Security needs to professionals that can help you.

Yes, I link to our company, but there are alternatives. The point is, find a professional and employ them, and don’t look for the one that says they are an expert, look for the ones that have the appropriate experience.

I know how to change my oil, yet I still take it in every 3 / 5 months to have it taken care of. I value my time too much to waste it. I presume the same applies to you and your business.

2. Are you currently infected?

You want to stick with Detection plugins, one very interesting plugin that works good enough for the common issues is the Anti-Malware (Get Off Malicious Scripts). You can also make use of services like SiteCheck Security Scanner and Unmaskparasites to scan your website for malware. I should also reference the WordFence plugin as a decent Detection plugin, it’s had it’s ups and downs in it’s detection in the past, and still has it’s limitations but for many of the common issues it works fine (although be mindful of false positives and the resource impacts).

3. Are you Blacklisted by Google, Yahoo, Bing or something similar?

None of these plugins are going to help you, you’ll want to leverage a professional service to 1) identify the problem and 2) resubmit your website for review. Or you can do it yourself.

4. Do you like to tinker and want the ability to configure everything you find on those “The 10 Things You Need to Do To Harden Your WordPress Website” blog posts?

Then you’re going to want to stick with Utility plugins. One of our favorites, and best maintained, will be the iThemes Security (formerly Better WP Security) plugin. Mind you, this plugin has a lot of options, if you don’t know what you’re doing it’s likely not going to be for you, proceed at your own will.

5. Are you looking to stop hackers from getting in?

Then you are looking for Prevention plugins. We generally don’t recommend or advise against Website Firewalls that operate at the application layer, for a variety of reasons. There are a few out there that leverage the name, but are likely providing you a false sense of security. We’d recommend you leverage a service based product for this, it can range from services like those at CloudFlare, Incapsula or Sucuri. Do your homework and research the one that you feel will be most effective.

The one caveat to this will be Brute Force protection. It’s important to take some time to understand what Brute Force attacks are, and how they differ from other types of attacks – like Denial of Service. As of late, there has been a lot of hollering across the inter webs on this new, yet very old, attack method. There arguments at one point that network latency was too big of an issue for Brute Force attacks to be realistic or impactful, the times have obviously changed and that’s no longer the case.

It’s so much an issue you see everyone getting into the game and will likely be the new security gold rush as everyone rushes to implement a solution for Brute Force attempts. As this happens we’ll continue to see an evolution in the attack spectrum, case in point would be the recent attacks on XMLRPC that allowed the user to Brute Force your application while bypassing your wp-admin. In this scenario, none of the security plugins protecting you from BF were addressing the issue, until disclosed. Allow me to be clear though, the fact that they can be updated to address the issue once identified is pretty good as well.

6. Do you want to know what is going on with your website at any given time??

Then you want to look at Auditing plugins. Our favorite is the Sucuri Security – Auditing, Malware Scanner and Hardening Plugin, granted it’s a bit selfish, but rightfully so we think.

Good administration is critical to Good Security posture, and we all know that security is based on risk management. Where risk is reduced as our posture is increased.

7. Are you none of the above, and are only looking to improve your security posture?

Then the recommendation is to leverage a little bit from each domain. It’s ok to have multiple security plugins, each, as you can see above, are designed to address different aspects of the security lifecycle.

The thing to remember however is that each of these plugins have one common denominator, they are tools designed to help you manage and administer your website better. They are not the end all be all when it comes to security, if there were such a thing there would be only one solution.

Ad Violations: Why Search Engines Won’t Display Your Site If it’s Infected With Malware

As your site’s webmaster, have you ever seen an e-mail from Google like this:


We wanted to alert you that one of your sites violates our advertising policies. Therefore, we won’t be able to run any of your ads that link to that site, and any new ads pointing to that site will also be disapproved.

Here’s what you can do to fix your site and hopefully get your ad running again:

1. Make the necessary changes to your site that currently violates our policies:
Display URL: site.com
Policy issue: Malware
Details & instructions:

2. Resubmit your site to us, following the instructions in the link above….

If so, you know the potential downside risk this poses for your website. In their own words, Google says,

In some cases, you may be unaware that you have malware on your site. But to protect the safety and security of our users, we stop all ads pointing to sites where we find malware.

In essence, Google and Bing care about their searchers more than your business so, to protect their customers, they’ll shut your website out of Adwords and Bing Ads and will return your site less in organic searches.

Often overlooked in the search business is the role of the actual search engine in the ad placement process. These are businesses that specialize in creating algorithms to show relevant search results, assigning quality scores to your landing pages and placing your actual ads. A lot goes into the process, but in all cases, the key for the search engine is to show relevant search results (including ads) that keep people using their search engine. It is in this spirit that search engines like Google and Bing reserve the right to refuse your ads. This is especially true if they have any reason to believe that your site may be infected with malware–including viruses, worms, spyware, and Trojan Horses–or is being used in phishing schemes.

From the search engine’s perspective, this makes perfect sense. Searches are their lifeblood and there are other search engines a person could use to find websites. By showing your ads or returning your site organically in a search, they are tacitly telling the searcher, “We found these sites to be relevant to you.” If they start sending you to sites that are potentially harmful, then a searcher could, potentially, switch search engines.

However, knowing why search engines work as they do doesn’t make it easier to be a webmaster when a site is hacked. Luckily, our clean up and malware removal tools as well as our de-blacklisting service are just a click away.

Or, better yet, keep yourself from ever getting an email like the one above from Bing or Google. Instead, protect your site, and business, from potential problems stemming from malware, blacklisting or phishing and look into protecting your site with a website application firewall like our CloudProxy WAF .

Understanding Google’s Blacklist – Cleaning Your Hacked Website and Removing From Blacklist

Today we found an interesting case where Google was blacklisting a client’s site but not sharing the reason why. The fact they were sharing very little info should not be new, but what we found as we dove a little deeper should be. The idea is to provide you webmasters with the required insight to understand what is going on, and how to troubleshoot things when your website is blacklisted.

Get Your Bearing

While investigating the website, we found that some Google shortened URLs were being loaded and redirecting to http://bls.pw/. Two of the goo.gl links were pointing to Wikipedia images, their icon to be specific, and one was redirecting to http://bls.pw/ shortener.

goo.gl/9yBTe - http://bits.wikimedia.org/favicon/wikipedia.ico
goo.gl/hNVXP - http://bits.wikimedia.org/favicon/wikipedia.ico?2x2
goo.gl/24vi1 - http://bls.pw/

A quick search for this last URL took us to /wp-content/themes/Site’sTheme/css/iefix.sct. As malware writers like to do, it was trying to trick us into believing it was good code. In this case, the Sizzle CSS Selector Engine code (Real code here) was the target:

Sucuri  Sizzle CSS Selector Engine Modified III

Read More

Understanding Search Engine Warnings – Part I – Google – This Site May Be Hacked

If you have any questions about malware, blacklisting, or security in general, send them to us: contact@sucuri.net and we will answer here. For all the “Ask Sucuri” answers, go here.

Question: I just found out that my site is being flagged on Google’s search engine results page with the message “This site may be hacked”. What does it mean?

Answer: This is a good question and one we see often from our clients. We see it so often that we decided to do a series on each type of blacklist warnings that show up on search engines. These are the warnings that we will cover in this series:

Read More

Cleaning Up Your WordPress Site with the Free Sucuri Plugin

If your site has been recently hacked and you are trying to clean it up yourself, we recommend that you use SiteCheck Malware Scanner, our Free WordPress plugin to help you during that task.

The plugin has a collection of useful tools that can guide you along the way. The steps provided here are not final, and there are some variations that require more work, but by just following these steps, you will get very far. We will also not rely on any specific signature or malware strings, since those can easily be evaded by the clever bad guys.

As always, if you need professional help, the Sucuri team is here for you.

Read More

The Dangers External Services Present To Your Website

Today the Washington Post reported that they were victims of hack, orchestrated by the Syrian Electronic Army.

This attack is interesting because it sheds light into the anatomy of attacks that appear sophisticated, but is something we’re seeing on a daily basis.

Yesterday, we wrote about Phishing and Joomla. The important point being the emphasis on how Phishing attacks work and for what reasons. In the examples we discussed one of the reasons being financial gain, in today’s example however we can look at how it was used to redirect traffic for a cause. In the story however are two very unique attacks being leveraged, it’s hard to assume how they were used, but it provides for interesting insight into intentions.

External Services

In the article they describe that the attackers were able to attack multiple media outlets at one time. They go on to describe that their attack came specifically from their content sharing network, which happens to be Outbrain. In fact, Outbrain, at the time this was being written was still experiencing down time and had acknowledge a compromise:

Sucuri Outbrain Hacked

If you’re not aware, Outbrain is a very popular content recommendation service leveraged by many media outlets. Has something to do with some awesome magic they apply to understanding who is visiting your site and what the most appropriate content is for that individual. All fancy stuff and above my head, but what I do know is what this, along with so many others, do to the security of your website.

When we look at the security chain what you are always looking for is the weakest link, one of the factors that often contributes to the weakness is the consumption of external services and / or your ability to ensure the integrity of said service. Today, many outlets like Washington Post, Time and CNN found out the hard way why that is.

In this instance, the attackers were able to get access to an Outbrain online console and in doing so where able to inject redirects to various configurations. No one is clear at what level they were able to compromise the console, but it is known that it affect three media outlets at a minimum.

They went on to share an image of their access as proof of their success:


This, unfortunately, is but one example of the impacts of an external service.

A few weeks back we shared other information on the OpenX ad network being compromised as well. In this scenario, the attackers injected a backdoor into the installation package, allowing them to gain access to any website that uses it. While fundamentally different than what occurred with Outbrain, the impact can be just as catastrophic.

In this scenario, it appears the hacktivists were more concerned with broader awareness and publicity than they were in real nefarious acts. Just imagine the impact some of the brands impacted: CNN, Time, Washington Post could have had on followers around the world if the redirect included some Blackhole variant or other similar type payload designed to have lasting impacts on your computers. These brands are huge conglomerates, even if only for 30 minutes, the shear traffic that would have been affected is mind blowing.

Regardless, the point is not lost. As websites become more secure, attackers will continue to find new creative means of accomplishing their goals, this is but another example of the type of creativity we can come and are expecting and experiencing. We have to remember the motto that many live by..

“Own one, Own them all.”

From a Site Compromise to Full Root Access – Bad Server Management – Part III

When an attacker manages to compromise and get access to a website, they won’t stop there. They will aim to gain full root (admin) access to the entire server. If there are more websites hosted on the server being attacked, It is likely they will attempt to compromise every single one of them.

How can an attacker escalate their privileges? How can they go from FTP-only access to getting root on the server? In this series of articles we will show some techniques that attackers are using to go from confined FTP/web access, to full root level access on a server.

In the previous articles of this series, we talked about symlinking to root and using local exploits to increase their privileges. However, attackers often don’t need this level of work when the server is not well managed and/or properly secured. They can leverage a quick path to root (admin) with little trouble.

Read More

Google Transparency Report – Malware Distribution

Google just released their Malware Distribution Transparency Report, sharing the amount of sites compromised or distributing malware detected by their systems (Safe Browsing program).

Google’s Safe Browsing program started in 2006 and since has become one of the most useful blacklists to detect and report on compromised sites. They flag around 10,000 different sites per day, which are being used for over 1 billion browser (Chrome, Firefox And Safari) users.

What is really scary from their report is the amount of legitimate compromised sites hosting malware compared to sites developed by the bad guys for malicious purposes. For example, in the first week of Jun/2013, 37,000 legitimate sites were compromised to host malware. At the same time, they only identified around 4,000 sites that were developed for the unique purpose of infecting people.

Read More

From a Site Compromise to Full Root Access – Local Root Exploits – Part II

When an attacker manages to compromise and get access to a website, they won’t likely stop there, they will aim to gain full root (admin) access to the entire server. If there are more websites hosted on the server being attacked, It is likely they will attempt to compromise every single one of them.

How can an attacker escalate their privileges? How can they go from FTP-only access to getting root on the server? In this series of articles we will show some techniques that attackers are using to go from confined FTP/web access, to full root level access on a server.

Read More

From a Site Compromise to Full Root Access – Symlinks to Root – Part I

When an attacker manages to compromise and get access to a website, they won’t likely stop there, they will aim to gain full root (admin) access to the entire server. If there are more websites hosted on the server being attacked, It is likely they will attempt to compromise every single one of them.

How can an attacker escalate their privileges? How can they go from FTP-only access to getting root on the server? In this series of articles we will show some techniques that attackers are using to go from confined FTP/web access, to full root level access on a server.

Read More