WordPress Now Comprises 90% of Hacked Sites, But Is It Inherently Vulnerable?

Issue Description

A Go-Daddy backed security company analyzed over 25k infected websites and 4,426,795 cleaned files to determine that the WordPress content management system accounted for 90% of all hacked websites in 2018 (increasing from 83% in 2017).  The top three tactics for attacks included backdoors (68%), malware (56%), and SEO spam (51%). Users running older versions of the WordPress core were not targeted significantly more than those who were up to date, demonstrating that the bulk of WordPress security issues stem not from vulnerabilities in the core, but from extensible components, i.e., 3^rd party plugins and themes that users install to enhance base installations.  Beyond plugins, other challenges related to WordPress security include use of pirated software (containing backdoors), reuse of leaked passwords, security misconfigurations, backwards compatibility issues, customized deployments, or simply a lack of security knowledge by webmasters responsible for WordPress sites.

Issue Importance

While the 90% figure noted above is high, it is less surprising considering that WordPress now powers almost 40% of the web, and controls 63% of the CMS market, according to Web Technology Surveys.  In large part because of its ease of deployment and extensibility, WordPress has become the CMS of choice for many organizations, including such top sites as The New York Times, Spotify, TechCrunch, the White House, BBC America, et al.  Attackers have a high interest in targeting the platform given its widespread adoption and since it is also the most popular e-commerce platform in the world, courtesy of such plugins as WooCommerce (which serves 22% of the top 1 million e-commerce sites in the world), according to Kinsta and Statista.

The prevalence of WordPress security vulnerabilities (hundreds of which are discussed on the Info Security magazine site) tarnishes the WordPress brand, but the Sucuri report demonstrates that, from a security point of view, plugins are the weakest point of the CMS today.  At the time of this writing, the WordPress plugin directory features nearly 58,000 plugins.  Many of these plugins are developed by small or inexperienced entities, or even solo developers where functionality/marketability is top-of-mind, not security.  In contrast, the WordPress core is maintained by a professional security team which regularly releases security updates for their software.

My Takeaways

WordPress is, and has been, the most popular CMS at Colorado State University for years.  The management of WordPress sites is now a part of my job responsibilities, as we switched from an open-source C# content management system a few years ago.  Soon after the switch, one of my sites on a development server was targeted by hackers who exploited a zero day, arbitrary file upload vulnerability within the Delete All Comments plugin (https://blog.nintechnet.com/arbitrary-file-upload-vulnerability-in-wordpress-delete-all-comments-plugin/), and were able to introduce dozens of backdoor files into our test server.  Unfortunately, no major WordPress security plugin could have prevented the exploit at the time (WordFence eventually prevented the exploit one month after the attack) – the only sure way to have avoided the hack would have been to not have the plugin installed in the first place.  Nonetheless, looking back, there were numerous security best practices which could have stopped or mitigated the effects of the attack (all strategies we have since adopted), including the following tips:

• Require a VPN to access restricted areas.  All our WordPress sites require the use of our VPN in order to access administrative functions.  In practice, this means IP whitelisting, and is accomplished using an .htaccess file placed with the /wp-admin folder of each of our WordPress installations: