The WordPress content management system (CMS) is popular with communities, e-commerce stores, educational websites, and blogs because of its flexibility and support to a variety of use-cases. The free, open-source CMS is also supported by advanced plugins that enable users to customize the look and feel of their websites.
Besides this, WordPress is supported by a global community of volunteers who develop plugins and themes, making it easy to learn, adapt and scale quickly. While it is convenient and reliable for most website projects, WordPress requires strict observation of best practices to keep sites secure. In addition, since WordPress runs on open-source code, thousands of contributors take time to find, identify and fix WordPress security issues.
However, most often, tackling inherent challenges of a WordPress security issue a deep analysis, adoption of best practices, and embracing the right tools to mitigate risks.
This article delves into commonly found security issues with WordPress and the best methods to avoid them.
WordPress is widely popular, powering approximately 40% of global websites as of 2021. Even though the platform is built to be secure, security vulnerabilities are commonly found and arise due to the actions of users or malpractices of site administrators. Since vulnerabilities typically exist in themes and plugins, securing a WordPress website often goes beyond securing the core WordPress source code.
Each WordPress site has a default login page (http://www.example.com/wp-admin) for administrator accounts. Attackers exploit this by trying to gain administrator privileges for the website. Considered one of the most common forms of WordPress attack, brute force attacks are initiated by hackers trying to guess user credentials using sophisticated techniques and automation. Since they do not rely on existing vulnerabilities, brute force attacks present one of the simplest means to obtain user accounts and passwords. Some administrators use weak passwords that make it easy to program bots to help them obtain the user role.
In a successful brute force WordPress attack, attackers can steal user data, install malware or erase a crucial application’s service. Even if they don’t successfully log in to the account, hackers carrying out brute force attacks can initiate denial-of-service by attempting thousands of simultaneous logins. These attacks are also difficult to identify since the bots use different locations and IP addresses for login attempts, which allows them to persist without detection. While it is a trial and error method, a brute force attack is widely popular and was involved in over 80% of the attacks on WordPress websites in 2018.
In an XSS attack, hackers use existing WordPress vulnerabilities to inject malicious code into the website. These attacks mainly aim to steal another user’s identification information by hijacking their session and then executing unwanted scripts on the client-side. In a typical XSS attack, a hacker utilizes a user input form to insert the malicious URL/string into the website’s database. When a victim requests a page from the site, the web server’s response includes the malicious script, which is sent to the victim’s browser. When the browser executes this script, it sends the user’s session cookies to the hacker’s machine.
WordPress XSS vulnerabilities remain a critical challenge for web security teams since they are exploited differently, making them hard to identify and mitigate on time. For this purpose, there are various tools that you can use to detect XSS attacks and take action against them.
Various types of XSS vulnerabilities include:
Stored cross-site scripting, also known as Persistent XSS, is the most alarming type of XSS that relies on malicious scripts to be permanently stored on the website’s database. This implies that whenever any user requests a page of the site, the malicious payload is sent to the user’s browser as part of the HTML response.
Reflected cross-site scripting, also known as non-persistent XSS, involves a malicious script to be sent along with the user request. A successful attack typically requires the attacker to send the malicious script to each user separately. The script is then ‘reflected’ back such that the web server’s HTTP response includes the malicious payload sent as part of the request. In this case, attackers use ambush social engineering to deceive users into sending the malicious script to the webserver.
In DOM-based XSS attacks, hackers inject malicious payloads if the website’s client-side scripts can write data provided by a Document Object Model (DOM). A common cause of this vulnerability is when developers do not include additional security measures to handle data correctly. Once injected, the malicious payload is then executed when the webserver reads data back from the DOM.
WordPress file inclusion exploits affect websites that utilize a scripting runtime, allowing hackers to upload files to the WordPress server, submit input into files or modify file permissions. To do so, attackers use a configuration file to enumerate the system, provide download functionality, and allow access for undefined user roles. In the absence of sufficient user input validation, attackers also use dynamic file inclusion capabilities to include a file on the server.
WordPress file inclusion exploits are categorized as:
Local file inclusion (LFI) – These vulnerabilities enable hackers to include files on the server using their web browser. LFI exploits are easily performed on websites that accept files without properly sanitizing user input. An attacker can modify the input so that they inject special characters into the path and access other files hosted on the webserver. In most WordPress applications, successful LFI exploits occur due to insufficient validation of the Ajax path parameter when requesting the Ajax shortcode pattern.php script.
Remote file inclusion (RFI) – Attackers leverage RFI vulnerabilities to include remote files on the webserver. These attacks are less common and are carried out on websites that dynamically include external scripts and files. If the application receives an arbitrary file through an unsanitized path, it creates an attack surface, leading to information theft, XSS attacks, and remote code execution attacks.
With the popularity of WordPress, there is a plethora of malicious software that disrupts how users interact with the website. Common variations of malware for WordPress websites include:
Viruses – Software that replicates by injecting malicious code into other applications. Attackers use viruses to affect the website’s core functionality or add spam content that degrades the user experience.
Trojan horse – Hackers use Trojan horses to perform a wide range of malicious actions for a WordPress website, including corrupting the wp-config.php file, FTP files and exploiting the system’s resources.
Ransomware – Some attacks, like the WannaCry attack, make WordPress websites inaccessible until the hackers are paid to remove the malicious software. This can have catastrophic effects, including loss of revenue, tarnished reputation, and penalties from compliance authorities.
Other malware used to compromise WordPress websites includes cryptocurrency mining bots, adware, and spyware.
Attackers could use malicious SQL statements to compromise the database of WordPress websites, orchestrating SQL injection attacks. They inject SQL codes in stealth mode via the data accepted and transmitted from the website. This commonly involves using an input field to supply masked queries that contain special characters. These characters are used by the SQL interpreter in the execution of external commands. Common entry points for WordPress SQLi attacks include feedback fields, search bars, shopping carts, and logging-in forms, signing up, or contact submission.
The WordPress CMS uses SQL-based databases, making SQLi attacks a standard mode of exploitation. Since all the forums, blogs, and websites have input interfaces that accept user data; most WordPress sites have at least one known SQL injection point. In addition, many available SQLi vulnerability scanning tools are online, making it easy for an attacker to get started on the exploit. In successful SQLi attacks, the hackers gain complete control of the database, thereby leading to deeper penetration of the system and the exposure of sensitive data.
Being an open-source platform, almost anyone can contribute to the core WordPress software. While this openness offers flexibility, it also raises concerns regarding the security of the platform’s overall construct. Identifying and fixing vulnerabilities before they make it to production helps security teams avoid the expenses associated with recovering from a breach. Businesses also avoid the hefty penalties and fines that compliance authorities charge for exposing private information.
Addressing WordPress security issues also helps protect the firm’s reputation since safeguarding customer data is known to maintain a competitive edge. Furthermore, with every additional security measure in place, administrators can operate websites without compromising business relationships. Along with safeguarding access credentials, addressing WordPress vulnerabilities mostly requires administering robust practices to prevent all platform layers, including the core WordPress functionality, external themes and plugins, and the underlying infrastructure.
Various factors make WordPress websites susceptible to attack. These include:
Using outdated versions increases the chance of successful exploits since version updates include fixes for known vulnerabilities in the code. WordPress rolls out new versions every three months, so it is important to check for the stable version update list to ensure the website’s components are up to date.
The WordPress admin login is one of the most highly targeted threat vectors since it grants the highest possible privileges. Some WordPress users set up the admin portal with common passwords that are easy to guess and are naturally more susceptible to exploits. In cases where the admin user ID is admin, it is easy to brute-force login into the system since bots go through fewer login attempts. A compromised admin account makes it easy to orchestrate a data breach on the website and is the most commonly known first level of penetration for full-blown attacks.
WordPress security plugins help administrators manage the complex aspects of WordPress security and streamline security measures, compliance, and audit. Some popular security plugins for WordPress include:
iThemes is one of the most popular security plugins for WordPress websites as it offers multiple levels of security enhancements for robust threat management. The iThemes platform includes advanced controls such as multi-factor authentication, passwordless logins, and auto administering strong password requirements to reduce the likelihood of a hack through a privileged account. The platform also helps prevent automated brute-force logins by tracking login activity, then blocking the login screen in case of suspicious login attempts. The iThemes plugin also logs important security events for the WordPress website, highlighting unwanted changes to indicate a breach.
Sucuri is a cloud-based website security platform that helps protect WordPress sites from blacklists, malware, DDoS, and common attack vectors. With Sucuri, all website traffic is routed through the Sucuri cloud proxy Web Application Firewall (WAF) before going to the WordPress web server. The firewall blocks all illegitimate requests and only lets in authenticated users. While Sucuri offers a free service, it also offers a pro version that offers advanced features such as:
- Real-time backup for all website changes
- One-click recovery
- Event and activity log
- Spam protection of all user input interfaces
- Email alerts for site unavailability
Wordfence is an open-source WordPress security plugin in two flavors; the basic version that offers basic protection and an enterprise version with advanced security controls. The platform has an intuitive dashboard that makes it easy to visualize and navigate different aspects of security. In addition, Wordfence offers comprehensive WordPress security management and includes functions such as:
- WordPress Firewall – a WAF built to detect and block malicious traffic
- WordPress Security Scanner – investigates the core code, themes, and plugins to identify any security issues
- Login Security – enables different authentication mechanisms while blocking admin logins through compromised passwords
- Security Tools – real-time traffic monitoring, IP and country blocking
WordPress security scanners are tools that help comprehensively evaluate the hosting environment, the web server, WordPress plugins, and themes to analyze any point of compromise. While standard security plugins offer innovative mechanisms to alert and deter attacks in progress, a security scanner is mainly used from a proactive standpoint to prevent future attacks by identifying system-level vulnerabilities.
Some standard functions of a WordPress security scanner include:
- Use scripts to detect WordPress plugin versions, users, and themes
- Utilize theme and plugin enumeration to map the attack surface
- Fingerprint theme and plugin versions to pinpoint known vulnerabilities
- Enumerate website usernames
Woocommerce is a WordPress plugin used to develop e-commerce sites. Given the sensitive nature of e-commerce transactions, security issues cannot be ignored in such sites. While Woocommerce offers off-the-shelf security and is considered a security platform in itself, external threats such as brute force logins and hacking attacks are not uncommon. Any Woocommerce store uses a typical login screen that attackers tend to access through brute-force logins. Though the platform is supported by a proactive development community that constantly adds enhancements and security patches, the chancing threat landscape requires a focused approach to securing Woocommerce sites. Some best practices to secure Woocommerce sites include:
- Choosing a secure web host
- Leverage 2FA for admin logins
- Embracing a robust firewall mechanism
- Using the right security plugins
- Enforce policies for strong usernames and password
- Regular audit and full-stack scanning
- Regular backups
Due to its consistent popularity, the WordPress CMS remains a common target for attackers, with over 74% of website attacks being performed on WordPress. Hackers exploit vulnerabilities across all layers and components of a stack, including the core platform, plugins, or themes. According to a recent report, about 75% of WordPress attacks were through third-party plugins, 14% were on the core functionality, and 11% of attacks were carried out on outdated themes.
Some examples of successful WordPress attacks from the recent past include:
Attack on the “File Manager” WordPress plugin
The 1 million site breach of 2020
Firewall plugins (WAFs) help to filter all incoming traffic to your website. The most appropriate plugin differs for every use case; however, the right firewall platform must include a few basic features, such as:
- Intrusion detection
- Brute force prevention
- Blacklist removal services
- Malware detection and elimination
- DNS-level firewall
This article has already been published on https://crashtest-security.com/wordpress-security-vulnerabilities/ and has been authorized by Crashtest Security for a republish.