When people upload content onto the Internet, they generally expect it to be safe. While there are always security concerns about sharing personal data and putting it out where it can be access by virtually anyone, people aren't always in fear that most of it will be openly vulnerable when using trusted platforms like WordPress.
WordPress is an open source content management system. It powers 18 percent of all web sites, which is about 60 million sites. WordPress features a large a multitude of third party plugins allowing people to use advanced features. Right now any developer can create a WordPress extension to enhance the basic platform. There are some coding standards set, but currently there are no security requirements plugin developers must adhere to.
A recent report discovered that of the 50 most popular WordPress plugins, 20 percent of them are vulnerable to common attacks like SQL injections. Additionally, seven of the 10 most popular e-commerce plugins contain vulnerabilities. This translates to approximately 8 million downloads that contain vulnerabilities.
Cyber criminals can use these liabilities to access personal data like health records and financial details. Hackers can redirect sites to other attacker-controlled sites or just damage them. In WordPress, there are also security gaps within plugins that hackers can use for widespread malware distribution.
The report found that vulnerabilities allow for:
- SQL injections – allows for command execution on the server back-end
- Cross site scripting – allows script to run on the client to bypass access controls and targets site visitors.
- Cross site request forgery – attackers perform application-level transactions
- Remote/local file inclusion – uploading of possibly malicious files to the server
- Path traversal – attacker crawls through web pages
Of the 50 vulnerable plugins, the most common are used for content management, ecommerce, social networks and site development.
Are plugins vulnerabilities getting resolved?
According to the report, from January 2013 to June 2013 only six of the plugins have been completely fixed. The six include Buddypress, BBPRess, E-Commerce, Woo Commerrce, W3 Total Cache and Super Cache.
For WordPress users, administrators especially, there are precautions to take to avoid the need for a system restore. Only plugins from reputable, legitimate sources should be downloaded. If a person has the plugin source code, scan it for security issues before downloading, only download the most up-to-date plugins, upgrade plugins when necessary and get rid of all unused plugins.