No content management system (CMS) measures up to WordPress in terms of popularity. It is an indisputable champion in its niche, boasting an impressive 63.5 percent of CMS market share. Furthermore, 37 percent of all websites on the Internet run WordPress.
With its flexible framework that fits virtually any context online — from small personal blogs and news outlets to sites operated by major brands — it’s no surprise this CMS has been creating ripples in the web ecosystem area for years.
What do cybercriminals think of this hype train? You guessed it — they do not mind jumping on it. Unlike webmasters, though, their motivation is far less benign.
The silver lining is that the WordPress Core is properly secured from different angles through regular vulnerability patches. The WordPress security team collaborates with trusted researchers and hosting companies to ensure immediate response to emerging threats. To step up the defenses without relying on site owners’ update hygiene, WordPress has been pushing automated background updates since version 3.7 released in 2013.
The bad news is that third-party plugins can be easy prey for malicious actors. Unsurprisingly, plugins with many active installations are a bigger lure. By exploiting them, these actors can take a shortcut and significantly increase the potential attack surface.
The loopholes recently found in popular WordPress plugins run the gamut from remote execution and privilege escalation bugs to cross-site request forgery and cross-site scripting flaws.
In early September, researchers at Finland-based web hosting provider Seravo came across a security loophole in File Manager, a WordPress plugin installed on at least 600,000 sites. Categorized as a zero-day remote code execution vulnerability, this critical bug allowed an unauthenticated adversary to access the admin area, run malicious code, and upload dodgy scripts on any WordPress site running File Manager versions between 6.0 and 6.8.
To the plugin maker’s credit, a patched version (File Manager 6.9) was released mere hours after security analysts reported this vulnerability. According to File Manager active versions statistics, though, this build is being currently used on only 52.3 percent of WordPress sites that run the plugin. It means that more than 300,000 sites continue to be susceptible to compromise because their owners are slow to update the plugin to the latest patched version.
When white hats discovered this flaw, it was already being exploited in real-world onslaughts attempting to upload harmful PHP files to “wp-content/plugins/wp-file-manager/lib/files/” directory on unsecured websites. At the time of this writing, more than 2.6 million WordPress instances have been probed for outdated File Manager versions.
Moreover, different cybercriminal gangs appear to be waging war over websites that continue to be low-hanging fruit. One of the elements of this rivalry comes down to specifying a password for accessing the plugin’s file named “connector.minimal.php,” which is a primary launchpad for remote code execution in unpatched File Manager iterations.
In other words, once threat actors gain an initial foothold in a vulnerable WordPress installation, they block the exploitable component from being used by other criminals who may also have backdoor access to the same site. Speaking of which, analysts have observed attempts to hack websites via File Manager plugin bug coming from a whopping 370,000 different IP addresses.
The Page Builder WordPress plugin by SiteOrigin has over a million installations. In early May, security services provider Wordfence made a disconcerting discovery: This hugely popular WordPress component is susceptible to a series of cross-site request forgery (CSRF) vulnerabilities that can be weaponized to gain elevated privileges in a site.
The plugin’s buggy features, “Live Editor” and “builder_content,” allow a malefactor to register a new administrator account or open a backdoor to access a vulnerable site at will. If a hacker is competent enough, they can take advantage of this vulnerability to execute a site takeover.
SiteOrigin rolled out a fix within a day after being alerted to these flaws. However, the issue will continue to make itself felt across the board until webmasters apply the patch — unfortunately, this usually takes quite a bit of time.
GDPR Cookie Consent
Last January, security experts found that GDPR Cookie Consent version 1.8.2 and earlier were exposed to a severe vulnerability that allowed bad actors to pull off cross-site scripting (XSS) and privilege escalation attacks.
With over one million active installations and a total of 20 million downloads, Duplicator is on the list of the top 100 WordPress plugins. Its primary feature is about migrating or cloning a WordPress site from one location to another. Plus, it allows site owners to back up their content easily and securely.
In February, Wordfence security analysts pinpointed a flaw that allowed a perpetrator to download arbitrary files from sites running Duplicator version 1.3.26 and older. For instance, an attacker could piggyback on this bug to download the contents of the “wp-config.php” file that contains, among other things, the site admin credentials. Thankfully, the flaw was patched two days after the vulnerability was reported to the vendor.
Site Kit by Google
A severe flaw in Site Kit by Google, a plugin actively used on over 700,000 sites, allows an attacker to take over the associated Google Search Console and disrupt the site’s online presence. By obtaining unauthorized owner access through this weakness, a malicious actor can change sitemaps, de-list pages from Google Search results, inject harmful code, and orchestrate black hat SEO frauds.
One of the facets of this loophole is that the plugin has crude implantation of the user role checks. To top it off, it exposes the URL leveraged by Site Kit to communicate with Google Search Console. When combined, these imperfections can fuel attacks leading to privilege escalation and the post-exploitation scenarios mentioned above.
The vulnerability was spotted by Wordfence on the 21st of April. Although the plugin author released an updated version (Site Kit 1.8.0) on May 7, it is currently installed on only 12.9 percent (about 90,000) of WordPress sites running Site Kit. Therefore, hundreds of thousands of site owners have yet to apply it to stay safe.
This plugin has more than 300,000 active installations for a reason: It allows site owners to manage multiple sites from their own server. A flip side of enjoying these perks is that an adversary may be able to circumvent authentication via a critical flaw unearthed by WebARX in January.
To set such an attack in motion, a hacker could exploit buggy InfiniteWP Client functions called “add_site” and “readd_site.” Because these entities did not have proper authentication controls in place, an attacker could leverage a specially crafted Base64 encoded payload to sign into a WordPress admin dashboard without having to enter a valid password. The administrator’s username would suffice to get access. An update taking care of this vulnerability arrived on the very next day after the discovery.
What to Do About It
Plugins extend the functionality of a WordPress site, but they can be a mixed blessing. Even the most popular WordPress plugins may have imperfections that enable various types of foul play leading to site takeover and data theft.
The good news is, plugin authors quickly respond to these weaknesses and roll out patches. However, these updates are futile unless site owners do their homework and follow safe practices.
The following tips will help you prevent your WordPress site from becoming low-hanging fruit:
- Apply updates. This is the fundamental countermeasure for WordPress hacks. Make sure your site is running the latest version of the WordPress Core. Just as importantly, install updates for your plugins and themes once they are rolled out.
- Use strong passwords. Specify a password that looks as random as possible and consists of at least 10 characters. Include special characters to raise the bar for attackers who may try to brute-force your authentication details.
- Follow the principle of least privilege. Don’t give authorized users more permissions than they need. The admin or editor roles might be redundant for some users. If the subscriber or contributor privileges suffice, stick with them instead.
- Limit direct access to PHP files. Hackers may send specially crafted HTTP or GET/POST requests to PHP components of your plugins and themes to get around authentication and input validation mechanisms. To avoid these attacks, specify rules that trigger an error page when such attempts are made.
- Remove inactive users. Go over the list of users enrolled in your site and remove dormant accounts.
- Disable user enumeration. To prevent attackers from viewing the list of your site’s users and trying to exploit their configuration slip-ups, head to the .htaccess file, and turn off the user enumeration feature there.
- Add a security plugin. Make sure the plugin comes with a web application firewall (WAF) that monitors suspicious traffic and blocks targeted attacks piggybacking on known and zero-day vulnerabilities.