In a recent article we looked at the devastating impact exploitations on websites can have on business.
WordPress is the most popular CMS in the world and is used by nearly 75 million websites.
However, many WordPress sites are running with vulnerabilities and are just waiting for a chance to be exploited.
The good news is that content management systems, like WordPress, can be secured to reduce the success of an exploit.
In this series of posts, we will discuss common exploits to WordPress and how we minimize the risks to our clients’ websites. Anyone running or managing a WordPress site could utilize our techniques to manage their site.
Common WordPress Pitfalls/Exploits
Unless you have an agency or individual managing the maintenance of your website (like us!), you’ll need to know what to look out for when it comes to patching.
What are the common pitfalls/exploits to be aware of?
- Out of date plugins
- Vulnerable Plugins
- Input validation
- Abusing XML-RPC
- Security Awareness by users
- Aged out version of PHP
Let’s discuss each in a little more detail.
1. Out of date plugins
Out of date plugins are the most common reasons why WordPress sites are hacked. This may be from poorly maintained plugins or a web administrator missing an important update. Do you know if all of your plugins and themes are up to date? Does that also include inactive ones? You may find it hard to believe but inactive plugins can still make your site vulnerable. Also, many plugins that are marked inactive no longer check for updates in, particularly licensed plugins. So if you have a plugin that you don’t intend to use soon, you should consider uninstalling it.
An example of a popular plugin that releases updates frequently to add new features is Ninja Forms. Ninja Forms is a form building plugin that is actively maintained and shows an average of 2-3 update releases a month. WordPress.org reports 70% of active installations are running a version that is under active support (v3.4). That means 30% of active installations are running a release prior to January of 2019, which is no longer receiving updates, or feature enhancements.
Why are there so many out of date plugins in the wild?
Since the initial release of v3.3 ninja-forms has resolved 9 disclosures from the WP Vulnerability database. Many of those entries are related to XSS which is listed as OSWASP Top Ten Web Application Security Risks. Three of the entries were listed with Injection which could allow for the execution of commands or access to data.
2. Vulnerable Plugins: Vulnerability Report! Vulnerability Report!!
When plugin developers are blessed with a vulnerability report of their plugins, it’s in their best interest to review and provide a security release as soon as possible. Great! So now we have a new plugin version that should fix the vulnerability but not everyone has time to check for updates and ensure compatibility with the site’s code base.
If you have a dedicated team to check and deploy changes within a reasonable amount of time without the downtime that is great! At Web Teks, we created a patch automation process to push updates to sites and perform integration tests to verify minimum impact to our client’s sites. *To find out more regarding our process check out “Security Patching Automation” for more details.
3. Input Validation: It’s just a web form, how bad can it be?
One of the first web programming assignments I had was to build out a page form. How tough can that be taking free form text from users and storing that data for analysis?
We can all agree that the issue here is not little Bobby Tables!! So how do you create a web form solution that is easy to use and can take your input safely and store data successfully?
We believe that web forms will always be a necessity and it’s evident based on the fact that the top plugins are form builders. How WordPress plugins interact with the sites is very important for the security of a site. New plugins make use of the REST API to interface with the site to generate new forms.
Back in 2017, Equifax had a major data breach revealing sensitive information from 148 million Americans including names, Social Security numbers, birth dates, address, and Driver’s License numbers. The attackers used the form on the online dispute portal to breach the Equifax database.
4. REST API instead of XML-RPC for the Win!!
Even with the most up to date plugins, it is also possible that other factors may make your site vulnerable.
One example is the XML-RPC service, which enables programmatic access to WordPress so that plugins can create/consumer content.
Consider XML-RPC being enabled and accessible to the internet. Starting with WordPress 3.5, XML-RPC is enabled by default. WordPress Mobile Applications likely interacted with sites using this XML-RPC service. However, it’s also possible for the service to be abused to send many HTTP requests within a single call to overload your web site or to attempt to login to your site.
Most new plugins utilize REST API instead of XML-RPC. If you still have plugins dependent on XML-RPC you may want to investigate further, and quickly.
For our Web Teks clients, our preferred hosting partner, Pantheon makes this possible by using a CDN configuration that can be toggled on or off. If your provider does not provide support to block this access, you can create a plugin to restrict access.
If you can’t disable the service you should be able to detect and respond to the events. Review access logs from your service provider regularly and detects anomalies for POST events. If you see a constant barrage of requests to wp-login or XML-RPC endpoint it’s possible a brute force attack is being executed. This leads us to users which are another way into your service.
5. Security Awareness for users to be smarter online
One of the easiest ways for a bad apple to breach your network is by using your users – by enticing them to ‘click’ or ‘share’ or provide their credentials through what is called ‘social engineering’ (where a hacker contacts your user directly pretending to be someone they may know, like a system admin, needing their user name/password or access to their system).
Do you have a security awareness program to train your users about being responsible online?
Consider investing some training for your website writers and bloggers. One way to ‘test’ their knowledge and propensity to be secure online is to create a series of forms or conduct a survey. If your users don’t get the right answer, give them tips to improve so that it can be a learning experience.
If that is not possible you may wish to direct them to some free cyber adviçe from DHS.
6. Running code on supported PHP Versions
Now that you understand how critical it is to maintain your CMS core and plugins/themes versions – do you know what version of PHP you’re running at your Hosting Provider?
At present, the recommended version for WordPress and Drupal is 7.4. If you find yourself running 7.2 or older you may want to check with your Hosting Provider on when they plan to upgrade. Version 7.2 was released in November of 2017 and is only receiving security updates until November of 2020.
WordPress – https://wordpress.org/about/requirements/
PHP Supported versions – https://www.php.net/supported-versions.php
You still have time to review and update your PHP versions to the latest recommended versions. Version upgrades can be easy depending on your hosting provider. Where problems may come up is with custom code or older versions of plugin and themes. Ensure that you have a way to properly test functionality before upgrading in case issues occur that you don’t experience any downtime.
So there you have it – 6 common exploits you need to be aware of (and manage) to keep your website secure!
But what if your website is out of your control?? Stay tuned for our next post on Telltale Signs That Your Site is Out of YOUR Control.
In the meantime, if this overwhelms you, or you’re unable to keep up with the effort it takes to secure your website, give us a call. Web Teks has made it our business to help our clients manage and maintain their websites.