Wordfence threat analyst Mike Veenstra takes a look under the hood of the world’s most popular CMS

WordPress is by far the most popular content management system (CMS) in the world – it had more than 60% of the market share last year, according to web technology survey firm W3Techs.

But it’s also the most hacked, with a report from security firm Sucuri earlier this month revealing that 90% of compromised sites in 2018 were powered by the platform.

The main cause, the report found, was vulnerabilities introduced through add-ons such as plugins, themes, and extensions. WordPress currently boasts more than 54,000 plugins, offering everything from cosmetic site customization options to secure payment services.

“These extensible components are the real attack vectors, affecting tens of thousands of sites a year,” the report read. “The primary attack vector abused when infecting WordPress are plugins with known and unknown vulnerabilities.”

Mike Veenstra is a threat analyst at Wordfence, which works to uncover flaws in WordPress plugins, as well as offering a security plugin of its own.

He believes that WordPress takes security seriously, and that most breaches are caused by poor practice by users.

“Plenty of people reuse compromised passwords, and plenty of people pay a freelance developer to throw together a WordPress site and are left with no idea how to maintain it, so future plugin and theme flaws end up unpatched,” he told The Daily Swig.

“WordPress is unique in its space, in that the core application can automatically patch itself, so at least core flaws are addressed in the case of neglected sites.”

The latest version, 5.1, includes the first of several planned Site Health security features, in the form of a PHP version notice that alerts users on their dashboard if their host is running PHP version 5.5 or below.

“It’s not quite the charge forward into the present standard of 7.2 that I’d like, but it’s a big start,” says Veenstra.

All new plugins are checked by WordPress before being added to the public repository, but the same doesn’t apply to updates.

“The members of the plugin team work hard to keep the repository clean, but realistically they’re a team of volunteers, and sometimes the heavy lifting has to be done reactively instead of proactively,” says Veenstra.

“We see this in cases where a bad actor buys ownership of a plugin with a good reputation and install base, only to inject malicious code as a new update. The team is responsive when issues are reported, but doesn’t always catch problems before they arise.”

Wordfence features a web application firewall (WAF) that filters incoming requests to a site and uses various identifiers to uncover attacks.

The company also offers a malware scanning engine designed to detect malicious scripts and other indicators of compromise, while user-level security features include two-factor authentication, brute-force protection, and leaked password protection.

“Recently, we’ve had a focus on making our products and services more optimal for power users, without getting in the way of those with less strict use cases,” says Veenstra.

Veenstra says the most noteworthy trend he’s seen in the WordPress threat landscape recently was the disclosure of a novel type of vulnerability with a unique or creative kill chain enabling site takeover.
The first instance was followed by the disclosure of similar flaws in other packages over the following weeks and months.

“For example, when an arbitrary file delete vulnerability was discovered in WordPress core, it was linked to an attack chain where a site’s wp-config.php file would be deleted, allowing an attacker to reinstall WordPress to a remote database with themselves as administrator, allowing other backdoors to be distributed to the victim site’s filesystem,” he says.

“Following that disclosure, we started seeing similar disclosures in plugins which were subsequently exploited by malicious actors.”

Security conscious 

So what simple measures would Veenstra advise web admins to implement to improve the protection of their WordPress sites?

First, he says, they should use a password manager, enforce two-factor authentication wherever possible, and make sure none of their passwords have featured in a public data breach. Site admins should also install security updates as soon as they become available , he said.

“Old vulnerabilities still see active use simply because site owners fail to install a patch for a years-old security issue,” he says.

“Also, remain aware of the development cycle of plugins and themes you’ve installed – if a plugin’s developer has gone too long without releasing an update, it’s possible the plugin has been abandoned and will need to be replaced.”

Finally, as you’d expect, Veenstra recommends implementing a security solution that provides timely notifications.

“Early awareness of an attack is of major benefit to responders and can help mitigate the negative impact of a successful attack in the event one occurs,” he says.

Veenstra believes that while WordPress novices are often naive about issues such as logging practices, backup retention, and intrusion detection, more experienced web admins are increasingly becoming more savvy about the security of their WordPress sites.

“Newcomers aside, there are a growing number of experienced WordPress users who are becoming much more involved in the security of their sites,” he says.

“These users are on the lookout for security advisories, they add layered security to their infrastructure, and they understand the opportunity cost of this effort is far less than that of a security incident.”

RELATED Toxic comments: WordPress admins under threat from latest bug