Combine a popular web site platform (WordPress) with a user base where a good percentage lacks technical expertise and add to that malicious intent. The result? A wide swath of sites that are vulnerable to attack.
This is the situation with WordPress. The official site boasts corporate and celebrity users such as People, Motley Crue, and CNN. This is true. There are many multi-million dollar corporations, publications, and applications that run on the WordPress platform.
However, it is also true that a lot of users of the self hosted version of WordPress are casual users. The ease of use of the platform, as well as the familiarity through the free sites on wordpress.com, drew a wide range of users. Beyond the hobby bloggers, there are small businesses that had a site built on WordPress based on their developer/designer’s recommendation and then never looked at it again.
This chart by Built With shows almost half of the sites on the internet are using WordPress.1
This chart by W3Techs shows the percentage of WordPress installations using each platform. As you can see, a little over 30 percent of the installations are still running on version 3 or lower.2
What this tells me is that an awful lot of those 14 million sites are sitting out there unmanaged and wide open for attack.
I’ve mentioned before that outside of content and design, if you don’t have someone on staff that manages and maintains your web site, a web site maintenance service plan is often a good idea. An excerpt of a previous article.
Open Source platforms like WordPress, Joomla, and Drupal are wonderful in that they allow the individual blogger and small business person to have world class sites. The downside to that is that since the code is open to all, it is also open to those who explore it to find vulnerabilities to maliciously hack your site.
When people contact me to recover their site after it’s been hacked, most of the time it is because they didn’t keep the platform up-to-date. There can be occasions when someone purposely tries to take a site down and overcomes security measures.
But the reality is for most of our web sites, hackers just don’t care that much about coming after you specifically. They are just looking for opportunity to do damage and most of the times are choosing the path of least resistance to do so.
Not keeping your site up-to-date or monitoring add-ons for security issues is like driving your car to the center of town, leaving the keys in the ignition, the doors, open, and blaring the words “Come take me.”
This past week has been a good illustration of this.
The issue was not only with the WordPress core platform, but the vulnerability was also found in plugins and themes. Envato Marketplace sent out an email on Saturday warning their users of the possible exploit. They encouraged all their vendors to check for vulnerability in extensions and to modify and patch them. I received emails from theme and plugin developers warning of the problem.4
Version 4.2 came out to patch that vulnerability. Almost immediately, another vulnerability was discovered in the update that fixed the previous one.
The WordPress content management system used by millions of websites is vulnerable to two newly discovered threats that allow attackers to take full control of the Web server. Attack code has been released that targets one of the latest versions of WordPress, making it a zero-day exploit that could touch off a series of site hijackings throughout the Internet.
Both vulnerabilities are known as stored, or persistent, cross-site scripting (XSS) bugs. They allow an attacker to inject code into the HTML content received by administrators who maintain the website. Both attacks work by embedding malicious code into the comments section that appear by default at the bottom of a WordPress blog or article post. From there, attackers can change passwords, add new administrators, or take just about any other action legitimate admins can perform. The most serious of the two vulnerabilities is in WordPress version 4.2 because as of press time there is no patch.
“If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors,” Jouko Pynnönen, a researcher with Finland-based security firm Klikki Oy, wrote in a blog post published Sunday evening. “Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.”5
A nightmare waiting to happen ranking right up there with the experience of my friend Stephanie after someone went after her attempting to hijack her accounts and succeeded with her Facebook page.
An update to WordPress 4.2.1 that fixed this vulnerability was released hours ago. If the automatic updates are set on your site will have already updated.
WordPress 4.2.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.
A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability, which could enable commenters to compromise a site. The vulnerability was discovered by Jouko Pynnönen.
WordPress 4.2.1 has begun to roll out as an automatic background update, for sites that support those.
Download WordPress 4.2.1 or venture over to Dashboard ? Updates and simply click “Update Now”.
The danger is for those who don’t have a system in place for back-ups and updates and who maybe haven’t checked their site in awhile.
If you’re reading this and asking yourself, “What do I do now?”
- Back up your web site. It is a good idea to keep a series of back ups on hand in case it is necessary to take your site back to a previous version.
- Update WordPress
- Update the installed plugins and themes.
- Research any plugin that an update wasn’t prompted after updating to the latest version of WordPress for vulnerability issues. Plugins that are outdated or where the development has been abandoned can be a huge issue.
- CMS Usage Statistics. Built With. Generated 27-4-2015. [↩]
- WordPress Version Usage from W3Techs. Accessed 27-4-2015. [↩]
- Cedric Van Bockhaven. WordPress < 4.1.2 Stored XSS Vulnerability. Cedric’s Cruft. 23-4-2015. Accessed, 27-4-2015. [↩]
- Widespread WordPress Plugins and Themes Security Vulnerability. Envato. 23-4-2015. Accessed 27-4-2015. [↩]
- Dan Goodin. Just-released WordPress 0day makes it easy to hijack millions of web sites. ARS Technica. 27-4-2015. Accessed 27-4-2015. [↩]