WordPress – Understanding its True Vulnerability
Everyday we manage thousands of clients running a wide range of applications, built across a number of different platforms. It should be of no surprise that a good number of them leverage the WordPress platform. This in itself can lead folks to scream from the mountain tops of the applications insecurities, we’re here to say that is just not so.
With Popularity Comes A Target
Many know, but yet many more don’t, that WordPress dominates rival CMS applications by significant margins. We are not saying this in terms of functionality or breadth, but rather by end-user adoption. We will not dabble with why and how it has accomplished this, but rather on what this means to you, the end-user.
As you would expect, with its established fame also comes attention. Unfortunately, on the web, this also means attention from the underbelly of the virtual domain, black-hat hacker’s intent on turning something good into something evil.
Why Focus on WordPress?
It’s simple, it is widely adopted and the ability to reach millions far exceeds the time and energy required on other applications.
So WordPress is Vulnerable?
It is our opinion that anything that lives on the web becomes vulnerable with time. That being said, at this time, we don’t find WordPress, version 3.3.1 to be the root cause of the infections we see every day. This is not the same of older versions, but that is to be expected with any platform, to think otherwise is foolish. It is also one of the reasons updates are so important.
The WordPress core development team and review process has matured tremendously over the years, such that they deserve accolades for their ability to push timely patches when security issues are identified. Although inefficiencies still exist in a number of areas, the greater issue we want to focus on is the end-user responsibilities.
Why so Many Infected WordPress Sites Then?
Today what we find is that no longer is the application the true cause, the paradigm has shifted, and now the end-user is often the vulnerability.
The Webmaster of Today
We are in the age of websites for all, for a low yearly fee of $34.99, and easy hosting plans starting at $5.99 a month. It is no longer necessary to hire development firms to offer overqualified resources to apply updates and make content changes. Pffff, I can do that myself. What is an update anyway?
Unfortunately, as sarcastic as that may sound, it’s the sad truth. Everyday we fight malware, Monday – Sunday, midnight to midnight, and the trend is getting stronger. End-users are sloppy, everyone is anxiously jumping at the opportunity to use an application like WordPress for their blogging and website needs, with little regard to the dangers of the interwebs. When a hack occurs, as is human nature, the first thing is to look at everything but the yourself, in this case WordPress.
Let’s take a minute to look at the top reasons for the infections we see today:
- Poor Credential Management (FTP, SFTP, SSH, WP Admin, Cpanel, DB, etc..)
- Poor System Administration
- Soup Kitchen Server – Housing Test, Staging and Production Sites
- Out of Date Software – PHP, WP, Plugins, Themes, DB
- Lack of Web Knowledge
- Lack of Security Knowledge
- Use of self-proclaimed “experts”
- Cutting Corners – Using unvetted Plugins, Themes and Scripts (Often Infected and housing backdoors)
Everything mentioned above can be easily addressed. By far, one of the worst culprits of infections today is the incredible number of Soup Kitchen servers. The lack of awareness and understanding of the potentials of cross-site contamination is jaw dropping.