24 Nov Stop the (word)press vulnerabilities!
We wanted to write an article which is aimed at those of you that are just like us and either own or are considering owning a WordPress powered website. You may even be using WordPress purely for your website Content Management System (CMS).
We have an OUTSTANDING graphic designer / web developer that we’ve been working closely with over the last year whilst we’ve been mobilising Mollis, who designed and built our site for us using the WordPress platform, and an array of WP plugins (feel free to drop us a line at [email protected] for the recommendation). However, it was only when we started testing and refining our own product offering that we began to notice a stack of vulnerabilities that we had inherited from the WordPress template that our site was built on.
Now, based on current findings from wpvulndb.com, of the 2,837 known WordPress security vulnerabilities in their database:
- 75% are from WordPress plugins
- 14% are from core WordPress
- 11% are from WordPress themes
WordPress runs on open source code and has a specialist team that are dedicated to identifying and fixing security issues that arise in the core code of the platform. As additional vulnerabilities come to light, fixes are quickly implemented and pushed out to patch any of the issues that have been found by WordPress, which is why it’s incredibly important to keep your website and plugins patched and up to date.
Here are 5 of the most common WordPress security issues that you should be aware of (Our very own site was wide open to two of these when we scanned the attack surface of our domain!)
Cross-Site Scripting (XSS)
85% of all security vulnerabilities on the entire internet are called Cross-Site Scripting or XSS attacks. Cross-Site Scripting vulnerabilities are the most common vulnerability found in WordPress plugins.
Your WordPress website uses a MySQL database to function. SQL injections occur when an attacker gains access to your WordPress database and subsequently all of your site data.
With a SQL injection, an attacker may be able to create a new admin-level user account which can then be used to login and get full access to your WordPress website. SQL injections can also be used to insert new data into your database, including links to malicious or spam websites.
File Inclusion Exploits
After brute-force attacks, vulnerabilities in your WordPress website’s PHP code are the next most common security issue that can be exploited by attackers. (PHP is the code that runs your WordPress website, along with your plugins and themes.)
File inclusion exploits occur when vulnerable code is used to render remote files that allow attackers to gain access to your website. File inclusion exploits are one of the most common ways an attacker can gain access to your WordPress website’s wp-config.php file – one of the most important files in your WordPress installation.
Malware (malicious software) is code that is used to gain unauthorised access to a website to gather sensitive data. A hacked WordPress site usually means malware has been injected into your website’s files, so if you suspect malware on your site, take a look at recently changed files.
Although there are thousands of types of malware infections on the web, WordPress is not vulnerable to all of them. The four most common WordPress malware infections are:
- Drive-by downloads
- Pharma hacks
- Malicious redirects
Each of these types of malware can be easily identified and scrubbed clean either by manually removing the malicious file, installing a fresh version of WordPress or by restoring your WordPress site from backup (provided you were backing up the website in the first place of course)
Good old Brute Force
Brute force attacks refer to the trial and error method of entering multiple username and password combinations over and over again until a successful combination is discovered. The brute force attack method exploits the simplest way to get access to your website – your WordPress login page.
WordPress doesn’t limit login attempts by default, so bots can attack your WordPress login page using the brute force attack method. Even if a brute force attack is unsuccessful, it can still wreak havoc on your server, as login attempts can overload your system and seriously impact the performance of your site. While you’re under a brute force attack, some hosts may suspend your account, especially if you’re on a shared hosting plan, given the overload on the system.
Note – Tony made the very pertinent point that this article gives WordPress a bit of a bashing. I’ve been particular about WordPress when writing this piece as our experience relates directly to WordPress, when in actual fact, security issues can be prevalent across most of the well-known website templates / CMS’s.
We’ve implemented a number of industry best practice guidelines and safeguards and an innovative product to protect our very own website from malicious attack. Get in touch with us at [email protected] for a complimentary technical security posture review of your chosen domain and suggested path to remediate.