WordPress Now Comprises 90% of Hacked Sites, But Is It Inherently Vulnerable?

Issue Description

A Go-Daddy backed security company analyzed over 25k infected websites and 4,426,795 cleaned files to determine that the WordPress content management system accounted for 90% of all hacked websites in 2018 (increasing from 83% in 2017).  The top three tactics for attacks included backdoors (68%), malware (56%), and SEO spam (51%). Users running older versions of the WordPress core were not targeted significantly more than those who were up to date, demonstrating that the bulk of WordPress security issues stem not from vulnerabilities in the core, but from extensible components, i.e., 3rd party plugins and themes that users install to enhance base installations.  Beyond plugins, other challenges related to WordPress security include use of pirated software (containing backdoors), reuse of leaked passwords, security misconfigurations, backwards compatibility issues, customized deployments, or simply a lack of security knowledge by webmasters responsible for WordPress sites.

Issue Importance

While the 90% figure noted above is high, it is less surprising considering that WordPress now powers almost 40% of the web, and controls 63% of the CMS market, according to Web Technology Surveys.  In large part because of its ease of deployment and extensibility, WordPress has become the CMS of choice for many organizations, including such top sites as The New York Times, Spotify, TechCrunch, the White House, BBC America, et al.  Attackers have a high interest in targeting the platform given its widespread adoption and since it is also the most popular e-commerce platform in the world, courtesy of such plugins as WooCommerce (which serves 22% of the top 1 million e-commerce sites in the world), according to Kinsta and Statista.

The prevalence of WordPress security vulnerabilities (hundreds of which are discussed on the Info Security magazine site) tarnishes the WordPress brand, but the Sucuri report demonstrates that, from a security point of view, plugins are the weakest point of the CMS today.  At the time of this writing, the WordPress plugin directory features nearly 58,000 plugins.  Many of these plugins are developed by small or inexperienced entities, or even solo developers where functionality/marketability is top-of-mind, not security.  In contrast, the WordPress core is maintained by a professional security team which regularly releases security updates for their software.

My Takeaways

WordPress is, and has been, the most popular CMS at Colorado State University for years.  The management of WordPress sites is now a part of my job responsibilities, as we switched from an open-source C# content management system a few years ago.  Soon after the switch, one of my sites on a development server was targeted by hackers who exploited a zero day, arbitrary file upload vulnerability within the Delete All Comments plugin (https://blog.nintechnet.com/arbitrary-file-upload-vulnerability-in-wordpress-delete-all-comments-plugin/), and were able to introduce dozens of backdoor files into our test server.  Unfortunately, no major WordPress security plugin could have prevented the exploit at the time (WordFence eventually prevented the exploit one month after the attack) – the only sure way to have avoided the hack would have been to not have the plugin installed in the first place.  Nonetheless, looking back, there were numerous security best practices which could have stopped or mitigated the effects of the attack (all strategies we have since adopted), including the following tips:

  • Require a VPN to access restricted areas.  All our WordPress sites require the use of our VPN in order to access administrative functions.  In practice, this means IP whitelisting, and is accomplished using an .htaccess file placed with the /wp-admin folder of each of our WordPress installations:
            <LIMIT GET>
order deny,allow
deny from all
# whitelist CSU ip range
allow from 
allow from
allow from
# Allow access to wp-admin/admin-ajax.php
<FILES admin-ajax.php>
    Order allow,deny
    Allow from all
    Satisfy any

  • Employ proper plugin management.  Only install plugins you really need, from trusted sources.  Avoid abandoned plugins (that have not been tested with current versions of WordPress or updated in months/years) and be cautious about installing any plugins with very few active installs. Unneeded plugins should be disabled and uninstalled completely (in our case, the Delete All Comments plugin had been deactivated, but because it wasn’t uninstalled, hackers could still access the vulnerable file).
  • Update/audit all WordPress components regularly.  For those plugins that are required, we enforce regular software updates, and typically try to perform them automatically where possible.  E.g., as of WordPress 5.5, you can now enable auto-updates of plugins directly within the plugin management area of your site.

    As not every single one of our commercial plugins offers auto-updates, we leverage bash scripts/rsync to update these files quickly.

    For the WordPress core, we add the following line of code to our wp-config.php file to automatically keep it updated:

    define( 'WP_AUTO_UPDATE_CORE', true );

    Finally, we audit plugins regularly by utilizing the free WPScan plugin which automatically finds security vulnerabilities listed in the WPScan WordPress Vulnerability Database.
  • Enforce SSL.  It’s best to encrypt traffic universally, and this can be enforced at the /wp-admin level with the following line of code, also placed in your wp-config.php file:

    define('FORCE_SSL_ADMIN', true);

  • Backup WordPress daily. In the event anything catastrophic happens, security or otherwise, we utilize daily backups hosted off-site, using the UpdraftPlus plugin.
  • Use strong passwords and limit login attempts.  A strong password management policy (in our case using eIDs), coupled with limiting log in attempts (before a temporary lock-out occurs) helps avoid successful brute-force attacks.

There are many other best practices/techniques to harden WordPress, many of which are listed at https://wordpress.org/support/article/hardening-wordpress/, including setting proper file permissions, disabling file editing, using a web application firewall, disabling indexing and browsing, and much more.  While WordPress will likely continue to be a prime target for hackers in the future, with the proper policies/management, it can nonetheless prove to be a reliable and secure CMS for many organizations.