Yesterday, open source content management system (CMS) WordPress made headlines with the announcement of yet another critical zero day vulnerability. The newly discovered flaw is markedly different than other WordPress vulnerabilities surfacing as of late― in this case, the problem exists in WordPress’ core engine and codebase, rather than 3rd party plugins and extensions. WordPress.org was quick to release a patch to fix the vulnerability and has since advised users to upgrade to WordPress 4.2.1, the latest version of the CMS.
Here’s a nice video depicting such an attack:
Considering WordPress’ market share, every critical vulnerability is cause for some widespread alarm. According to W3Techs:
WordPress is used by 60.4% of all the websites whose content management system we know. This is 23.8% of all websites.
That’s right― 23.8% of all websites right now are running WordPress. If you’re part of this percentage, not only are you in good company (CNN, Reuters, NY Times, among others), but you’re also in the crosshairs of intruders and hackers as low hanging fruit for easy exploitation. This latest vulnerability has caused considerable panic due to the actual problem being resident in the core codebase as opposed to a 3rd-party plugin (the usual suspect in these occurences). Truth be told, yesterday’s announcement only scrapes the surface of WordPress-related vulnerabilities. For some harrowing details, check out this complete, ongoing list of WordPress security vulnerabilities.
In terms of remediation, clearly patching and/or upgrading one’s WordPress installation to 4.2.1 is the first step. As this vulnerability involves exploiting WordPress’ commenting feature, using popular plugins like Akismet for comment spam prevention adds an extra layer of protection. Additional security measures can also be taken such as checking any installed 3rd-party plugins for updates (and documented issues) and deactivating unused plugins. In general, only widely-reviewed plugins from trusted sources should be installed.
Above all else, staying vigilant in an increasingly hostile cyber landscape is crucial to minimizing the potential for being compromised. Again, WordPress sites are essentially web applications― exploitable not only at the application codebase level, but at any layer in the application stack. Taking this into consideration, one only needs to examine the existing vulnerabilities in WordPress’ underlying LAMP stack― Linux, Apache, MySQL, and PHP― to gauge a WordPress site’s security posture. Any vulnerabilities specific to these technologies (or combination thereof) can be used to compromise a WordPress site.
Announcements like yesterday’s should indeed be cause for concern; that said, taking proactive measures to secure one’s WordPress site drastically reduces the panic level once vulnerabilities are announced. WordPress security issues abound― the general public just doesn’t hear about most of them. Case in point, a critical vulnerability announced earlier this month involving a popular WordPress plugin potentially impacts over 1 million sites. The constant arrival of new vulnerabilities and exploits is an ongoing dilemma; continuous efforts are therefore necessary to bolster a WordPress websites’ security posture. This includes staying on top of core codebase and 3rd party plugin updates, as well as understanding the security implications of WordPress’ underlying LAMP stack (and required updates to each component). UpGuard can provide continuous security monitoring and validation at all levels of the LAMP stack, as well as for servers, network devices, and many others.
All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Blog >
The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Blog >