WordPress offers small and midsized organizations an easy platform for website design. At the same time, this easy-to-use platform is providing a fruitful target for cybercriminals.
WordPress has evolved as a highly popular content management platform, accounting for about one in five websites, according to Web Technology Services. That’s 72.4 million websites worldwide as of March 2012, according to Yoast.
The vast popularity of the platform has inspired developers to create more than 25,000 plugins that extend the functionality of WordPress, Maty Siman, founder and CTO of CheckMarx, told IFSEC Global in an interview.
With popularity comes vulnerability. The server-based profile of WordPress makes it a compelling target for cybercriminals who want to leverage the always-on servers running the platform as hosts for spambots and other malicious activities.
With that in mind, CheckMarx decided to research the security of the top WordPress plugins, and the results were somewhat dismal. Yesterday, the company released a report titled “The Security State of WordPress’ Top 50 Plugins,” which outlines the results.
The company’s research lab found that 20 percent of the 50 most popular WordPress plugins were vulnerable to common Web attacks, such as SQL injection. Worse, seven out of the top ten most popular plugins contained vulnerabilities. “We were overwhelmed with the number of vulnerabilities,” Siman told us. “The seven out of ten, which could be hacked at any moment, represents 1.7 million downloads.”
For hackers, these vulnerabilities are a virtual field day. The report explains:
Hackers can exploit these vulnerable applications to access sensitive information such as personally identifiable information (PII), health records and financial details. Other vulnerabilities allow hackers to deface the sites or redirect them to another attacker-controlled site. In other cases, hackers can take control of the vulnerable sites and make them part of their botnet heeding to the attacker’s instructions.
A quick glance at the headlines yields plenty of examples. The TimThumb LFI vulnerability, for example, infected 1.2 million websites and resulted in the redirection of 200,000 WordPress pages to rogue sites.
At least in part, the breadth of the problem can be traced to coders who lack security consciousness, focusing on a race to new features rather than ensuring that the code is secure, says Siman.
By following a few simple steps, WordPress users can increase their own safety:
- Download plugins only from reputable sources such as WordPress.
- Scan plugins for security risks. Since all extensions are open-source, they can be readily scanned for vulnerability.
- Make sure that your plugins are up to date. “If a vulnerability has been fixed, and you haven’t updated it, it’s a problem,” Siman warns.
- Remove any unused plugin from your system, as it may house a vulnerability.
CheckMarx plans to continue to follow the top 15 plugins to track whether vulnerabilities are being plugged.