WordPress powers over 30% of the internet, so it’s no wonder that hackers focus their efforts on scanning sites powered by the WordPress content management system in an effort to find vulnerabilities. When site owners decide to add a plugin, they go to the WordPress marketplace, find a plugin with possibly millions of installs, and think that they can trust the plugin not to destroy their site. Unfortunately, even popular plugins fall victim to exploits, and site owners should be vigilant about staying informed on the latest patches and updates for any plugin installed on their sites.
How Do Hackers Find Vulnerable WordPress Sites?
To find vulnerable sites, the first step for an attacker is to determine the vulnerability to exploit. Attackers can scan for several vulnerabilities instead of just one, but most attackers look for a specific one to determine if a targeted site can be hacked. The exploit could give the attacker any leverage, from full administrative control over the website to potential injection of hidden content and redirects.
To make the vulnerability discovery step more efficient, attackers use scripts to scan the web. These scripts are readily available as downloads on public websites, so knowing how to scan the web is not even necessary for people who are unfamiliar with hacking and exploits. More advanced attackers will write their own scripts, especially if they find a zero-day vulnerability in a popular plugin. A zero-day vulnerability is one that has not been seen in the wild, so an attacker could potentially hack thousands of sites with simple custom-made scripts.
Since plugins are written in PHP and usually published in open-source repositories, attackers can simply read code in open-source repositories to find a vulnerability that they want to exploit. This step has a much higher barrier to entry as the attacker must be able to read the code and identify statements that create vulnerabilities. The attacker then needs to explore and test the vulnerable code to ensure it can be exploited. Then, the attacker must write their own exploit scripts to run during their WordPress attacks.
Researchers will often review code in open-source plugins and alert the author should they find vulnerabilities. Some authors of more popular plugins will ask whitehat hackers to find vulnerabilities so that they know their code is safe from exploits.
What Can Vulnerable Plugins Do to Your Site?
An attacker’s activity on a vulnerable site depends on the exploit and privilege escalation potential. If an attacker can gain administrative access to the WordPress site, the attacker can do anything that an administrator can do. Since administrators have full control of a WordPress site, this means that the attacker also has full control.
Some common exploits used on WordPress include:
• Add Redirects: an attacker that can inject code into a vulnerable plugin can redirect users to an attacker-controlled site. In many cases, the attacker will redirect users conditionally based on the REFERER header. The REFERER header is set when a user clicks a link or gets redirected from another site. In a conditional redirect, the attacker will redirect the user to a malicious website if the user comes from a search engine such as Google.
• Inject spam ads: malicious ads will display a popup when users access the WordPress site. These popups will direct users to download malware by telling the user that their software is outdated. For example, a common malicious ad tells the user that Chrome must be updated, but the executable installs malware instead.
• Inject malicious links: an attacker who can exploit code to launch a persistent cross-site scripting (XSS) attack can inject their own HTML including links into content stored in a database. These links will point to a malicious website, or hacked links will be hidden so that search engines register backlinks to a targeted website.
• Install malware such as ransomware: attackers with elevated privileges can install software on the target site. Typically, an attacker installs ransomware that encrypts files forcing the website owner to pay a ransom to get files back. The only way to recover from such an attack is to restore data and files from backups.
• Create administrator accounts: an attacker with access to the database or administration dashboard can create new accounts including other admin accounts.
• Inject code for attacker control: an attacker with the intent to control site functionality will often use their own code to launch attacks against other sites or use the local WordPress email capabilities. For example, an attacker with control of site functionality could launch a distributed denial-of-service (DDoS) attack against a targeted website.
What You Can Do to Protect Your WordPress Site
Most website owners try to avoid malware by downloading only popular plugins, but even plugins with millions of downloads can be vulnerable to exploits. The first step is to download plugins with active authors who continually patch their software. This step ensures that any vulnerabilities reported to the author will be patched in future code releases.
After a plugin author updates code to remediate a vulnerability, the WordPress administrator must install the latest version. The WordPress dashboard shows alerts when a new plugin version is available, but this means that the administrator must authenticate into the dashboard regularly to patch software. The core WordPress code also receives patches and updates that must be installed. Outdated software is the foundation for many of the world’s biggest data breaches, so updating plugins and the core WordPress code should be done quickly after a new release is available.
Several WordPress plugins are available that tell site owners when plugins are outdated and a new release is available. Two common plugins – Sucuri and WordFence – will not only send an email to the administrator when a new plugin version is available but also when there is an ongoing attack. These two plugins will stop brute-force attacks on administrator passwords and stop attackers from other common attacks against the site. For example, they will stop a path traversal attack against sensitive files such as the wp-config.php file, which contains the database password connected to the WordPress backend.
WordPress makes site ownership easy, but it comes with a price. It’s also a common target for hackers. Always download plugins with active authors who patch regularly, and authenticate into the administration dashboard regularly to check for updates. When updates are available, install them quickly to avoid being the next victim.
If you are reading this after it’s too late and are currently dealing with a compromised WordPress site, we have a Compromised Site Repair service that we will work with you to restore your WordPress application, as well as many other CMS Applications, back to it’s original form and provide you ongoing protection through our Canadian hosted Managed WordPress that will keep your plugins and core up to date and provide you the peace of mind with a hack free guarantee that will allow you to focus on your content and allow us to provide the security focus you need.