Many Popular WordPress Sites Vulnerable To Attack, Study Finds


New research on popular WordPress websites found most of them littered with vulnerabilities, giving cybercriminals a platform to set up drive-by attack campaigns and other nefarious activity.

The study was the result of an analysis of more than 40,000 WordPress websites in the Alexia Top 1 Million sites from Sept. 12 to Sept. 15. Details of the analysis were released this week by WP WhiteSecurity, a U.K.-based security services firm. Most of the vulnerabilities could be detected using freely available automated tools, but the message from WordPress is to get website owners and administrators to move to the latest version of the platform.

The sites analyzed by the WP WhiteSecurity team are active and visited frequently, increasing the threat posed by vulnerabilities, said Sandro Gauci, chief consultant and founder of England-based EnableSecurity, who built the tool used by the WordPress team to conduct the analysis.

[Related: 10 Trending Cyberthreat Attacks In 2013]

"These are high-impact security issues affecting websites which are in the top 1 million, so they are quite popular sites that are impacted," Gauci told CRN. "On the other hand, I'm a penetration tester so I see a lot of vulnerabilities on popular sites."

The analysis found 74 different versions of WordPress, most outdated, containing dozens of vulnerabilities that could be targeted by cybercriminals. Only 18 percent of the sites reviewed upgraded to WordPress 3.6.1, the latest version of the platform.

"It takes a malicious attacker only a couple of minutes to run automated tools that can discover such vulnerabilities and exploit them," WordPress noted in its blog post on the results. "There are several security measures one can take, or tweaks one can implement, to improve the security of a WordPress installation, and we recommend you doing so."

Attacks have been consistently on WordPress and other content-management systems and their components. Many of the attacks attempt to brute-force their way into the platform by exploiting weak and default passwords, Gauci said. Exploiting vulnerabilities in outdated CMS systems and their components also has been a popular hacking technique. According to security firm Cenzic, cross-site scripting errors are the most frequently detected Web vulnerability, followed by information leakage flaws that enable an attacker to get information from error messages simply by executing a malicious script. SQL injection vulnerabilities also have been a coveted attack technique used by cybercriminals.

WordPress, Joomla and Drupal are among the most popular website platforms. WordPress said it found websites running versions of its platform that have been retired years ago.

At the very least, the websites should be on the latest version, Gauci said. Third-party plugins also should be continually updated to the latest version. Strong passwords should be used for the WordPress installation and users assigned to update and maintain the website. The underlying database should be hardened and properly configured, according to WordPress recommendations.

An analysis of third-party plugins released in June by security firm Checkmarx found seven out of the 10 most popular e-commerce plugins contain vulnerabilities. The firm recommends site owners use Wordpress.org when downloading plugins. Unused plugins should be removed, the firm said.

PUBLISHED SEPT. 27, 2013