Wordpress Vulnerabilities - Part 1

Why are WordPress sites hacked?

Ever since its introduction in 2003, WordPress has been the leading content management system (CMS). 810 million websites use WordPress, which is 43% of all the websites on the internet. However, the popularity of WordPress has made it a prime target for hackers seeking to launch attacks for financial gain, data theft, or other malicious purposes.

WordPress sites are often hacked due to vulnerabilities in outdated software, plugins, and themes. Hackers exploit these vulnerabilities to gain unauthorized access and manipulate the site's content, steal sensitive information, or inject malicious codes into the site. Additionally, weak passwords, lack of two-factor authentication, and poor server security practices also contribute to the vulnerability of WordPress sites.

Exploiting Common WordPress Vulnerabilities

1. Brute force attack: Attackers use automated tools to constantly guess WordPress passwords until they find the right combination. Although not refined, this attack is highly effective against many WordPress pages that use weak passwords. The WordPress login form can be easily accessed by adding "/wp-admin" or "/wp-login.php" to the site's URL.
2. SQL Injection (SQLi) Attacks: Attackers may gain access to an organization's WordPress admin by injecting malicious SQL queries or statements into the MySQL database. Any input field on the organization's WordPress site, such as the search box or information details form, is potentially vulnerable to SQL Injection attacks.
3. Vulnerabilities in Plugins and Themes: Outdated or vulnerable plugins are a common entry point for attackers. Plugins that haven't been updated for more than six months are likely to be abandoned by their developers and are particularly vulnerable to exploits. It is recommended to avoid using such plugins altogether. Additionally, many custom components are developed without a secure-by-design approach, resulting in the discovery of numerous issues such as Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and others.
4. Distributed Denial of Service (DDoS) attack: This is a popular type of attack that targets small and large websites alike. While orchestrating this attack, hackers overwhelm the servers with excessive amounts of manipulated requests that eventually lead to a server crash. These attacks are well disguised and typically target sites with poor hosting security. This can cause reputational harm to an organization.
5. Cross Site Scripting (XSS): Cross-site scripting (XSS) is one of the most common vulnerabilities in WordPress. It occurs when an attacker injects malicious JavaScript code into a website. The attack aims to steal sensitive data or redirect the user to another website. Attackers exploit this vulnerability by finding a page on the target website that allows them to inject malicious code. This can be done by searching for input fields that do not have proper validation or escaping.
6. Search Engine Optimization (SEO) Spam: SEO spams are one of the most dangerous vulnerabilities because they are incredibly difficult to detect. They involve hackers infecting an organization's website with spam keywords and fake advertisements. Clicking on these elements directs users towards malicious websites. This can harm organizations because SEO crawlers might flag their web pages as shady and penalize them.
7. Malware: Due to their widespread popularity, WordPress websites are the top target for many attackers. Backdoor attacks, Malicious redirects and Drive-by downloads are some of the most common malware used while targeting WordPress websites. Hackers usually scan for pages using outdated plugins because it allows them to exploit these vulnerabilities and upload the malware.

‍

Outdated software- The core issue

Organizations that use outdated software, plugins, or themes are more vulnerable to cyberattacks. Even though updates are regularly released for popular plugins, most WordPress site operators do not install these updates owing to the fear of breaking the existing functionality.

Being one of the most common sources of security vulnerabilities, WordPress itself tried to help users address these issues with automated updates in WordPress 3.7. However, despite the availability of this feature, site maintainers often choose to disable it due to concerns about site malfunctions and plugin incompatibilities.

Plugins have nearly unrestricted access within WordPress. This allows them access to everything that WordPress can access itself. Owing to this, popular WordPress plugins like BackupBuddy have seen exploits that allow hackers to access and modify any file accessible by WordPress within the server itself. The issue tagged as CVE-2022-31474, allowed unauthorized access to files that included sensitive information like login credentials.

It is recommended to update the software, plugins, and themes on every login. Site owners can test out the new version of a plugin or theme to ensure it is compatible with their site.

Updates can be viewed directly from the WordPress admin by navigating to Dashboard → Updates.

It is also recommended to remove any unused themes or plugins. This can be done by navigating to Plugins → Installed Plugins → Inactive.

To delete inactive WordPress themes, Appearance → Themes. After selecting a theme that needs to be removed, click the Delete button in the bottom right-hand corner.

A plugin like BlogVault can also help site owners by allowing them to test a plugin on a staging site before using it on their live site.

Inherent WordPress vulnerabilities

WordPress is a widely-used open-source CMS known for its ease of allowing anyone to set up a website quickly. It is built on PHP and MySQL/MariaDB. A key feature contributing to its popularity is that it provides users with the ability to install custom plugins and themes, which enables them to tailor their websites to their specific requirements.

However, this means that anyone who knows how to code can add a plugin to the WordPress architecture. Although WordPress core is developed and maintained by a dedicated team, plugins and themes are often developed and maintained by their creators. WordPress does verify the plugins and themes available on its store, but the sheer number of them makes it difficult to guarantee complete safety.

In addition, the option to buy themes and plugins from third-party vendors raises the possibility of incorporating codes from developers who may not undergo any security checks for the themes or plugins they offer. As a result, security loopholes can be introduced into the WordPress setup with ease. According to WordPress stats compiled by Web Tribunal, there are close to 90,000 attacks per minute.

Keeping up with CVEs is another challenge as they are continuously published when new vulnerabilities are discovered. Attackers often automate their attacks based on CVEs, making it difficult to stay ahead of them. Although automated updates are considered a solution, they may not always work if plugin updates are not available.

Utilizing Open Source Intelligence(OSINT) can help WordPress site owners and administrators stay informed about the latest vulnerabilities. OSINT can help WordPress operators monitor public vulnerability databases such as the National Vulnerability Database (NVD) or the Common Vulnerabilities and Exposures (CVE) database. These databases provide information on known vulnerabilities in WordPress. To know more about OSINT click here.

WordPress plugins for security issues

These are add-ons that protect WordPress websites from various security vulnerabilities. These plugins can scan the website for malware, viruses, and other security threats, and alert the website owner or administrator of any suspicious activity.

Popular WordPress security plugins-

1. Wordfence- This is a free security plugin that offers firewall protection, malware scanning, and login security. It also provides a range of additional security features, including two-factor authentication, country blocking, and security alerts.
2. Sucuri - Sucuri Security is a comprehensive security plugin that provides website security monitoring, malware scanning, and blacklist monitoring. It also includes features such as file integrity monitoring, security notifications, and a website firewall.
3. iThemes Security plugin- iThemes Security provides features such as malware scanning, brute force protection, two-factor authentication, and database backups.

ASM for WordPress

Monitoring multiple updates for plugins is a tedious task. Utilizing automated scanning tools to identify vulnerable plugins and installations is crucial to stay ahead of potential attackers.

By automatically scanning and checking a WordPress site for popular misconfigurations and vulnerabilities, Attack Surface Intelligence can help organizations stay ahead of potential attacks and mitigate risks in real-time. This includes not only vulnerabilities within the WordPress core but also those in individual plugins that power the website.

The main issue that causes hackers to target a specific WordPress website is the lack of updates. External Attack Surface Management supervises all WordPress installations. Hence, it is an adequate solution for detecting critical WordPress risks from misconfigurations and vulnerabilities.

To know more about how to resolve WordPress Vulnerabilities click here.

‍