Stay informed about the vulnerabilities to which your WordPress site may be exposed, as well as recommendations for addressing them. This guest post created by Advertising Agencies Dubai aims to explain how to protect yourself against security problems on your website.
Never assume that the most known, most common, most used extensions are free of vulnerabilities, or the opposite. However, the more an extension evolves, the more it tends to “create” vulnerabilities, and to block them, and the less an extension evolves, the more it tends to be discovered as a vulnerable extension.
Several factors have been questioned for their involvement in compromising security, including the deployment, configuration and maintenance undertaken by webmasters or the host. But a new study points to plugins as the main source of WordPress vulnerabilities.
In fact, a CMS that is constantly updated is not a problem. It is when the installation is highly customized that it becomes difficult to maintain security, and at the same time, the risk of being hacked increases proportionally.
For WordPress, the risk is even higher since the CMS propels nearly 30% of the web’s sites, a percentage of size that makes there are a large number of potential victims, an important factor that attracts hackers of all kinds.In 2018, Imperva registered 542 vulnerabilities associated with WordPress, three times more than in 2017. Joomla and Drupal combined have been affected by less than 150 bugs. A lower number of bugs does not really reflect the security level of a platform, it does not mean that it is more secure or not, the proof is the important vulnerabilities that allowed attackers to make devastating attacks against Drupal sites, and we are talking about Drupalgeddon, Drupalgeddon 2 or Kitty.
As always for WordPress, the plugins are challenged. Among the vulnerabilities identified by Imperva, only 2% are related to WordPress code. The rest can be found in the tens of thousands of plugins listed on the official CMS website.
The open source nature of WordPress and the desire to differentiate its site from the lot, pushes CMS users to use plugins in large numbers. However, there are no strict controls on these plugins, and sometimes they are not updated for several months or even years. Therefore, they make it easy for hackers to compromise the security of websites.
Imperva’s study also found an increase in the number of vulnerabilities affecting web applications. According to the data presented, 58% of web apps are affected, and in 38% of cases, there is no solution or patch.
This finding is consistent with another Kaspersky study that found that 73% of security breaches in corporate networks are due to web applications.
Among the most widely used attacks in 2019 are injection attacks allowing remote code execution, SQL injections and Cross-site Scripting (XSS).
Let’s study some WordPress plugins and their vulnerabilities in 2020
WooCommerce is the leader in e-commerce plugins for WordPress. Launched in 2011, it was quickly adopted by communities around the world.
If we look at the changelog, and look for “security”, we find 18 occurrences. This means that there are at least 18 security fixes, but sometimes more because not all fixes are noted as “security”.
For example version 2.1.8 contains a patch following a flaw found in WooCommerce 2.1.6 by SecuPress, but no “security”!
The most downloaded American security extension, Wordfence, is probably one of the oldest since it was launched in April 2012, and it too is not infallible. Yes, even if it’s a security extension, it’s still code created by humans and you know what they say? “Error is human”!
The 5.2.x versions of this extension have suffered a lot as we can see on WPVulnDB. Is that a good thing or a bad thing? We would say it again but yes, it’s a good thing because now that it’s discovered and patched, it’s even more secure.
When a researcher finds a flaw, others follow him to find one too and this makes the product even more secure. SecuPress has also helped Wordfence to be more secure.
Another security plugin, almost 1M of active installations, iThemes Security is based on a purchased “better-wp-security” extension. Also there is no complete changelog available and for the pro version no changelog available if you are not a member. It’s a shame to hide this information!
A security extension! Also quite well known, although less so than the other 2 mentioned above, AIOWPSF (ouch) has experienced setbacks with no less than 13 discoveries on WPVulnDB. SecuPress has just discovered a SQL Injection flaw.
Not an extension, nor a theme, but a framework, Redux, to help create these 2. Although less visible than plugins and themes, vulnerable frameworks reach many more users because they are part of these products, which is why their security is so important.
WPML is a classic of multilingual extensions, probably the first such a complete one. It has evolved with the times. Like any “massive” extension, it contains security fixings.
Unfortunately you need a new customer account to get a piece of the changelog (only the last 2 years).
Our discovery of the XSS flaw in WPML has therefore disappeared, or not! And once again we can count on WPVulnDB.
The cache: W3 Total Cache, WP Super Cache & WP Rocket
Again, dinosaurs from the extensions, with the cache this time. They are the pioneers of WordPress caching, even if they are now overtaken by WP Rocket for a long time (but WP Rocket is starting to get overweight!).
W3TC in 2016 had not been updated for more than a year. A flaw was then discovered. Don’t think it’s growing like a mushroom, just because there’s no update doesn’t mean the vulnerabilities are growing, even if it gives the impression of it.
It’s especially because we have more people starting to worry about whether it’s safe to use it or not. When there are updates made, it is considered that the author has done the job well. See? See? The border is thin.
In short, W3TC has been updated and SecuPress has found 4 vulnerabilities in it, the goal was to make sure that the discovered flaw was not the only one to fix, job done. And WPVulnDB finds no less than 17 fix!
For WPSC, 9 are in WPVulnDB. And WP Rocket, only one.
Jetpack, this ever-growing expansion has also had its share of flaws. The more things an extension does, or the more different developers there are, the more likely it is that there will be vulnerabilities (bugs too, and weight too…) See WPVulnDB. Jetpack has no competitor; no one wants to make such an extension, no one.
The most popular SEO extension in years, sadly known also for its scheduled latency updates has also experienced days without. WPVulnDB finds a lot of them. WP SEO has always had competitors like AIOSP, All in One SEO Pack who also experienced the same bad days, see WPVulnDB.
…even SecuPress! In fact, it is the module “Move Login” or “Moving the login page” that was missing. It is by performing an audit on WPS Hide My Login requested by its author, that I also tested one of my 4 discoveries on SecuPress and one of them was working!
In fact, the flaw works everywhere on this kind of plugin that hides the login page, we advise you not to use another plugin than these 2 to perform this task, especially if the extension you are using is not updated for too long.
But then, who is actually safe from vulnerability? No one. No extensions, no developments that are monitored, supported, contributed.
If you develop, try to hack, train yourself in Web security. If you are not developing, have it checked and confirmed that your choices are good and that the PHP scripts included in your sites are clean.