Security Weekly

What Role Does AI Play in WordPress Security?

Cleanshot 2023 11 30 At 14.14.30

Published:

Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Week 46

We can’t ignore the power of LLMs and AI when it comes to security. At Patchstack, we work closely together with Google and earlier in 2024 we were selected into a Google Cybersecurity & AI program.

Having seen some internal Google projects such as naptime which is capable of finding new security vulnerabilities from code and other projects such as Xbow which is capable of both finding new vulnerabilities and then exploiting them fully automatically – it’s becoming rather clear in what direction we’re moving.

Let’s explore both the good and the bad of AI impact on WordPress security.

AI generated code can be riddled with vulnerabilities

Something we’ve seen quite often is that non-technical people are using AI to generate code that will then be patched together into a functional WordPress plugin.

While the code is functional and works for the given usecase, it often also includes irrelevant and vulnerable code. Unfortunately, many people who use AI to generate code are actually not technical enough to detect such mistakes.

There’s already a lot of code uploaded to GitHub that is AI generated and I expect to see many more WordPress plugins be created the same way. Unfortunately this will increase the number of vulnerabilities in open source (at least in the short term).

Finding vulnerabilities will become easier

Over the past couple of years, even without the AI being used for vulnerability research, the amount of new security vulnerabilities being found & fixed in WordPress ecosystem has significantly increased year over year.

With the vast amount of publicly available vulnerability data, fine-tuning AI models for vulnerability scanning is becoming easier and easier. Meanwhile, open source software will be the first target and a testing ground – and that includes WordPress as well.

Most likely, a large number of security vulnerabilities found in WordPress core, themes and plugins in 2025 will already be found with the help of AI assisted tools.

Exploiting vulnerabilities will become easier

Some vulnerabilities are easier to exploit than others and that also plays a significant role in terms of how fast a vulnerability is becoming exploited. The faster it’s becoming exploited the least amount of websites have had time to patch it.

This is what the hackers are aiming for, the speed to exploitation. This is the reason why targets are often not picked and vulnerabilities are being mass-exploited. They need to exploit vulnerabilities before they get patched.

AI is making exploitation much easier. We already have AI agents that are capable of producing exploit code or perform a complex attack just with the information of a vulnerability.

AI is making the fight a bit more fair

Historically, attackers have always had an advantage over the defenders. Now with AI this advantage is shrinking. AI (such as CoPilot) can be used by anyone to find vulnerabilities in code before pushing it to production.

When security companies also use AI to identify new vulnerabilities, we have the possibility to patch them and protect the websites before the hackers have found out about it.

Using AI in scale such way is still expensive, so cyber security companies that can invest capital into AI solutions may even have a slight upper hand compared to hackers.

Join the Conversation!

There's a dedicated thread on this post inside of The Admin Bar community. Join in on the conversation, ask questions, and learn more!

Group Thread
Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Brought to you by:
Logo

Patchstack auto-mitigates security vulnerabilities found on WordPress core, plugins and themes. Patchstack is the leading vulnerability intelligence provider in the entire WordPress ecosystem and has the largest collection of vulnerability specific vPatch rules that provide precision protection without any performance hit nor false positives. Patchstack is the go-to security provider for many of the leading agencies such as 10up, Valet, SiteCare and others.

Never Miss an Issue!

Subscribe and have Security Weekly delivered to your inbox every week!

Care Plan Toolkit

Save time, boost profits, and confidently manage client websites with proven tools, tips, and resources.

Bento Toolkit

More from Security Weekly

Week 49

Increased Volume of Threats During Holidays

We are just a few days away from Christmas holidays and many people have already gone …

Week 48

What Will WordPress Security Look Like in 2025?

I was thinking wether to leave this as the last security weekly, but I recon that …

Week 47

Why Use Virtual Patching for WordPress Security?

Virtual patching is a security strategy that involves applying protective measures to the WordPress application without …