Security Weekly

How WordPress sites get hacked? (Part 2)

Cleanshot 2023 11 30 At 14.14.30

Published:

Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Week 3

Last week, we covered the different methods hackers use to compromise WordPress websites by taking over administrator accounts. This week, we’ll cover the second most common attack vector (which in some months is also the #1 reason) that regularly leads to a very large number of WordPress sites getting compromised – that is software vulnerabilities.

While there is a lot more software that your WordPress website relies on, let’s currently focus on the application only and look at the WordPress core, plugins and themes. We all know that the abundance of plugins and themes is what makes WordPress so popular, but it’s commonly also what makes the WordPress websites vulnerable.

There are over 60,000 plugins and themes in the WordPress repository alone. Many of which have also premium versions that include additional code. When talking about premium software, there’s additional 20,000 more in Envato marketplaces (ThemeForest, CodeCanyon) and more than 4000 in Monsterone. It’s also very important to mention that the vulnerabilities found in premium plugins tend to be much more severe, as their code is not public and therefore they are not reviewed by the community.

All of this software is built by different developers, with different skill levels and experience. Some have an entire company and a team of developers behind it, but most are just hobby projects built by developers to solve their own problem. However, when a an average WordPress user is installing a plugin, they never check the quality of the code nor the background of the developer.

Exploiting security vulnerabilities in WordPress core

This is something we don’t see very often as WordPress core itself can be considered very secure due to the large number of developers that have worked on this project for more than 20 years.

Due to the popularity of WordPress, finding critical security vulnerabilities to exploit in WordPress core is considered so hard, that companies such as Zerodium are willing to pay up to $100,000 to anyone who finds one.

However, in the past, there has been security vulnerabilities in the WordPress core, which have even been mass-exploited. A good example is the REST API vulnerability which was fixed in WordPress 4.7.2 that lead to a massive number of websites being defaced. This was back in 2017.

Even though WordPress is still fixing many security bugs each year, there has not been that many significant WordPress core vulnerabilities in recent years that have been mass-exploited and that would have caused such wide-scale damage.

Exploiting security vulnerabilities in WordPress plugins and themes

Plugins and themes however are a completely different story. There are plugins which seem to be installed on almost every other WordPress site. A great example is Elementor which recently reached 15,000,000 active installations. Since today, most popular themes are technically also plugins, so I will just refer to both of them as “plugins”.

While the WordPress core code is constantly being reviewed by a large number of developers and even by security researchers, the code of the plugins is not. Most websites rely on some plugins whose code has essentially never been audited, and the hackers are well aware of that.

When Patchstack published its first “State of WordPress Security” whitepaper in 2020, the total number of security vulnerabilities discovered in the entire WordPress ecosystem that year was 582 (which back in the day seemed a lot).

In 2020, Patchstack also launched the very first WordPress plugins bug bounty program and since then, there has been a lot more “eyes” on the security of plugins. The number of security vulnerabilities discovered in WordPress plugins have increased year over year and in 2022 alone, that number reached more than 4500 (btw, 2023 stats will be released soon).

Hackers are well aware that a single vulnerability can provide them access to thousands of websites. Attacks are completely automated, and targets are not chosen. The only thing that matters is wether the website happens to have that vulnerable software and if it’s unprotected.

What is a zero day vulnerability?

I’m sure many of you have heard about the term “zero day” vulnerability. What it refers to, is that a vulnerability is known to hackers before the developer has become aware of it and therefore has not yet been able to release a patch.

This can lead to a “zero day exploitation” which is when the security vulnerability becomes weaponised in attacks before the developer had time to release a fix. This happens when hackers themselves find a vulnerability in a targeted software, or when a vulnerability disclosure is rushed or done unethically.

However, in the recent years, the number of zero day exploitations have dropped as the awareness of plugin developers has increased and bug bounty programs have attracted more ethical (good) hackers to the ecosystem who help the developers find and fix the security issues before the bad guys get to them.

What is a 1 day vulnerability?

This is a term that people are usually less familiar with. These are security vulnerabilities which get published/disclosed after the developer has already released a fix.

However, hackers are also well aware that majority of the people do not update their plugins in time, so they monitor the WordPress repository to detect any signs of plugins whose code/changelog includes even a slightest mention of a security fix.

We at Patchstack regularly see hackers launch attacks within just hours after a vulnerability is being disclosed. For that reason, we even applied a 48/hr delay on public Patchstack vulnerability database, and only our users (who actually have the vulnerable plugin installed) receive the alerts immediately.

When we look at the statistics from past years, it’s very clear that most of the vulnerabilities exploited in the WordPress ecosystem are in fact 1 day vulnerabilities and the zero day vulnerabilities are usually in abandoned plugins.

While regular maintenance (updating the plugins) is incredibly important and should be done as frequently as possible, it alone should not be considered as a security strategy to defend websites against the security vulnerabilities.

Conclusion

Security vulnerabilities in WordPress plugins and themes is one of the main reasons why WordPress sites get hacked. WordPress plugins repository is monitored by hackers to detect clues about new security vulnerabilities either being introduced or fixed.

Hackers know that most website administrators don’t update plugins immediately and in many cases they even can’t as large number of vulnerabilities are found in abandoned plugins which will never release a fix.

Most attacks against plugin vulnerabilities happen in just hours after the disclosure, when most websites have not yet been updated. Because vulnerabilities become exploited very quickly and many don’t receive official fixes at all – relying merely on updates is not an effective security strategy.

With more than 60,000 plugins in the WordPress repository and more than 20,000 premium ones in other marketplaces, there are still many vulnerabilities to uncover.

Next week, we will talk about intentionally malicious plugins that hackers use to take over websites.

Resources:

Join the Conversation!

There's a dedicated thread on this post inside of The Admin Bar community. Join in on the conversation, ask questions, and learn more!

Group Thread
Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Brought to you by:
Logo

Patchstack auto-mitigates security vulnerabilities found on WordPress core, plugins and themes. Patchstack is the leading vulnerability intelligence provider in the entire WordPress ecosystem and has the largest collection of vulnerability specific vPatch rules that provide precision protection without any performance hit nor false positives. Patchstack is the go-to security provider for many of the leading agencies such as 10up, Valet, SiteCare and others.

Never Miss an Issue!

Subscribe and have Security Weekly delivered to your inbox every week!

Come Join Us!

Join the #1 WordPress Community and dive into conversations covering every aspect of running an agency!

Kyle Van Deusen

Community Manager

More from Security Weekly

Week 25

Getting Started with Access Management (Password Managers)

One of the most basic security related question I’m constantly being asked is “What password manager …

Week 24

How to Deal with Incoming Security Reports

Sometimes developers and security researchers find bugs accidentally or when intentionally testing software security. If they …

Week 23

Are Your WordPress Sites Really Isolated From Each Other?

We’ve touched the topic of site isolation in February on an episode covering server level security. …