WordPress – Understanding its True Vulnerability

Everyday we manage thousands of clients running a wide range of applications, built across a number of different platforms. It should be of no surprise that a good number of them leverage the WordPress platform. This in itself can lead folks to scream from the mountain tops of the applications insecurities, we’re here to say that is just not so.

With Popularity Comes A Target

Many know, but yet many more don’t, that WordPress dominates rival CMS applications by significant margins. We are not saying this in terms of functionality or breadth, but rather by end-user adoption. We will not dabble with why and how it has accomplished this, but rather on what this means to you, the end-user.

As you would expect, with its established fame also comes attention. Unfortunately, on the web, this also means attention from the underbelly of the virtual domain, black-hat hacker’s intent on turning something good into something evil.

Why Focus on WordPress?

It’s simple, it is widely adopted and the ability to reach millions far exceeds the time and energy required on other applications.

So WordPress is Vulnerable?

It is our opinion that anything that lives on the web becomes vulnerable with time. That being said, at this time, we don’t find WordPress, version 3.3.1 to be the root cause of the infections we see every day. This is not the same of older versions, but that is to be expected with any platform, to think otherwise is foolish. It is also one of the reasons updates are so important.

The WordPress core development team and review process has matured tremendously over the years, such that they deserve accolades for their ability to push timely patches when security issues are identified. Although inefficiencies still exist in a number of areas, the greater issue we want to focus on is the end-user responsibilities.

Why so Many Infected WordPress Sites Then?

Today what we find is that no longer is the application the true cause, the paradigm has shifted, and now the end-user is often the vulnerability.

The Webmaster of Today

We are in the age of websites for all, for a low yearly fee of $34.99, and easy hosting plans starting at $5.99 a month. It is no longer necessary to hire development firms to offer overqualified resources to apply updates and make content changes. Pffff, I can do that myself. What is an update anyway?

Unfortunately, as sarcastic as that may sound, it’s the sad truth. Everyday we fight malware, Monday – Sunday, midnight to midnight, and the trend is getting stronger. End-users are sloppy, everyone is anxiously jumping at the opportunity to use an application like WordPress for their blogging and website needs, with little regard to the dangers of the interwebs. When a hack occurs, as is human nature, the first thing is to look at everything but the yourself, in this case WordPress.

Let’s take a minute to look at the top reasons for the infections we see today:

  • Poor Credential Management (FTP, SFTP, SSH, WP Admin, Cpanel, DB, etc..)
  • Poor System Administration
  • Soup Kitchen Server – Housing Test, Staging and Production Sites
  • Out of Date Software – PHP, WP, Plugins, Themes, DB
  • Lack of Web Knowledge
  • Lack of Security Knowledge
  • Use of self-proclaimed “experts”
  • Cutting Corners – Using unvetted Plugins, Themes and Scripts (Often Infected and housing backdoors)

Everything mentioned above can be easily addressed. By far, one of the worst culprits of infections today is the incredible number of Soup Kitchen servers. The lack of awareness and understanding of the potentials of cross-site contamination is jaw dropping. Understand it better here.

Pulling it Together

What most website owners do not understand is that what makes WordPress so useful and cost-effective is also its biggest weakness. WordPress is a highly extensible application that allows your average Joe to easily make changes, add features and manage content. This ease of use, while great, puts a tremendous amount of responsibility on the end-user, so much so that they are often the root of their own problem.

Thought of the day: The WordPress team is doing their part to ensure your security on the web, can you say the same thing?

About Tony Perez

Tony works at Sucuri. His passion lies in educating and bringing awareness about online threats to business owners. He spends his time giving presentations and writing content that everyday website owners can appreciate. His passions revolve around understanding the psychology of bad actors, the impacts and havoc hacks have on website owners, and thinking through the evolution of attacks. You can find his personal thoughts on security at Tony on Security and you can follow him on Twitter at @perezbox.

  • http://HeyDaveCole.com Dave Cole

    Nice article Tony. I had a client with a malware attack (turning all H tags in to a viagra link), and the culprit was definitely poor credentials management. 

    My client had hired company A to build his site. Then a few months later, hired company B to do some update work. Then a few months after that, had some folks from company C do some work on it as well. Well, it turned out that the email account of the admin in Company A (who hadn’t admin’d the site in years) had been compromised: and in that email account was a record of an email from one user to another with an admin-level username & password. Installing malicious code at that point was a piece of cake – and they used a clever Base64 & javascript-driven attack that kept admins & users from seeing the compromised site; but unique visitors saw a completely jacked-up site full of malware links. 

    Really opened my eyes to the importance of credentials management – like resetting passwords and deleting old administrator accounts that aren’t used or current. If that’d been his cpanel access instead of just a single-site WP admin account; all his sites and properties could have been compromised from within.  

    • http://twitter.com/perezbox Tony Perez

      Hi Dave

      Thanks for taking the time to comment and provide some feedback. Its so sad that something so simple can be the culprit but its the sad truth. All we can do is continue to educate our clients and end-users with the hopes that at some point it goes viral and we can place our focus elsewhere. 

      Not only resetting passwords and deleting old ones but also looking to using random generators to establish strong ones. Yup, that’s a very good point about his cpanel access, many folks forget about it and don’t realize that it those are often just as weak and its impact can be more devastating. 

      Thanks again for stopping by.

  • Pingback: No “soup kitchen servers” at Fublo | Fublo + Blog = Fublog()

  • Tony

    Can you guys tell me what you’re using for your free site check?

    I have an old client whose site has been infected – i ran it through your free checker and it got a clean bill of health.How does that work then?

    • Tony Perez

      HI

      Sorry for the delay in our response. The scanner is restricted to work via HTTP, there are a few things that can only be detected via the server which makes it very hard when working via HTTP. Our internal tools leverage a different set of features that allows to be dive deeper into the server. 

  • Pingback: WordPress Weekly Recap, March 23 - Konstantin Kovshenin()

  • Sam

    This is full of good info, I just wish I had learned all this sooner. That being said, Sucuri has been phenomenal. This article sums up most of what I have had to painfully learn in the last couple of weeks. These are mistakes I won’t be making again. Thanks Tony!

  • Pingback: WordPress Third Party Vulnerability – Deans FCKEditor with PWWANGS Code for WordPress(version 1.0.0) | Sucuri()

  • Pingback: esmi on "My site has been hacked and cant get back in control" | Upgrade Wordpress()

  • Gemma W.

    This is why I went with WP Engine, a managed WP hosting solution because they are better at managing the security aspect of things as well as other issues, unlike a regular host.

    I can’t understand why so many people go with a cheap host and then expect NOT to run into security issues.

  • Pingback: Speaking at WordCamp Orange County 2012 – June 2nd / 3rd - PerezBox()

  • Pingback: WordPress Third Party Vulnerability – Deans FCKEditor with PWWANGS Code for WordPress(version 1.0.0)()

  • Pingback: esmi on "Feature request: secure Wordpress" | Upgrade Wordpress()

  • Pingback: What Action To Take If Your Wordpress Site Gets Hacked | Tims Marketing Blog()

  • Pingback: WordPress Security Issues: What You Need to Know | WP Web Designer. For Those Who Love Web Design and WordPress!()

  • Pingback: WordPress Security – Cutting Through The BS | Sucuri Blog()

  • Pingback: esmi on "hacking" | Upgrade Wordpress()

  • Pingback: Wordpress Security Plugin to Keep Hackers Out! | Vicki-Berry.com()

  • dnatelso

    good info, do you have any insight into the “hacked by Badi” that is hitting many WP sites this week

  • Pingback: Tons of problems with SEOWEBHOSTING- Losing over $200 a day on adsense()

  • http://duckonwater.com/ Duncan Michael-MacGregor

    What a fantastic article, I can identify with everything here. In some ways because WordPress is so easy to set up it can devalue the services we offer as web professionals.
    There are so many ‘dabblers’ who are happy to set up WordPress without any knowledge on security and coding that it can give the pro’s and the platform a bad name.

    We put a large emphasis on security of our WordPress sites and explain to our clients the benefit of spending a bit more for better service.
    I suppose its a bit like anti virus software, people begrudge paying for it but you really do need it, those who wing it with free software or none at all will eventually learn the hard way.

    Serious businesses have pro antivirus and regular backups of their data so why should their website be any different?

    Same principles apply, secure, maintain and backup!

Share This