This is a guest post for the Computer Weekly Developer Network by Dennis Dwyer, Dell SecureWorks counter threat unit security analyst.
WordPress is an open-source blogging platform and content management system (CMS). It is made up of more than 200,000 lines of code (written mostly in the PHP scripting language) and is used by more than 66 million websites on the Internet.
Although WordPress is considered a mature platform, regular updates address serious security vulnerabilities that could be used by an attacker targeting a WordPress site.
WordPress vulnerabilities are even more of a threat when combined with recent large-scale brute-force attacks which target WordPress websites.
In this blog, I’ll cover examples of both.
Considerations for developers
Vulnerabilities and brute-force attacks are important considerations for developers as well as anyone that hosts a website on wordpress.com or who uses the platform on a different host.
Steps can be taken to help secure WordPress installations which ensure systems aren’t compromised and that damage is minimised if a compromise does occur. These precautions can also prevent a vulnerable server from becoming part of a botnet used to launch further scans or malware.
Vulnerabilities may be in WordPress core and plugins
Attackers commonly abuse third-party WordPress plugins which contain vulnerabilities.
As recently as April 2013, vulnerabilities affecting the WordPress Super Cache and W3 Total Cache WordPress plugins (related to caching and website optimization) gained attention and developers have since updated their respective plugins (See the WP Super Cache and W3 Total Cache pages for updated version information).
Successful exploitation of these critical flaws may allow an attacker to execute arbitrary PHP code on a vulnerable system. To avoid being victim of attack, users and developers should examine WordPress plugins carefully and completely remove unwanted or unnecessary plugins. Third-party plugins may be updated at any time while a major WordPress version update is usually available every six months.
Many organisations opt-out of automatic WordPress updates and work with developers to manually deploy new versions at the appropriate time to perform additional testing. This patch and update schedule is virtually continuous and difficult to maintain, but it is necessary to maintain an acceptable level of security.
In April 2013, WordPress websites suffered from a large brute-force targeting campaign. It is reported that a botnet consisting of more than 90,000 servers is being used to scan the Internet for WordPress websites and is attempting to log in to the administrator’s account using a list of commonly used passwords.
Servers using simple passwords such as “123456” or “qwerty” would quickly fall victim to this attack. If an attacker successfully logs in, a backdoor is installed for future use.
Compromised websites may then be used for other activities, such as scanning for more WordPress sites and participating in distributed denial of service (DDoS) attacks.
To protect against brute force attacks, use long passwords that include a combination of uppercase and lowercase characters as well as symbols (#$%^&@), and rename the Administrator’s account to something other than “admin”. On top of that, developers should consider renaming the Administrator’s account to something other than “admin”.
By default, WordPress does not limit incorrect logins!
By default, WordPress does not limit incorrect logins, which allows an attacker to make a large number of attempts in rapid succession. This ability increases the odds that an attacker will correctly guess the password. Several WordPress plugins limit the number of login attempts, but plugins themselves generally increase the attack surface an attacker has at his or her disposal, and may inadvertently allow access via other means.
Securing access to /wp-admin/ (Administrator’s login area), using alternate database prefixes, securing wp-config.php and disabling file editing are recommended to mitigate effects of a potential attack.
Given the potential for harm in using outdated software, WordPress exploits will become more of an issue in the future. Resources like The Exploit Database which track and list a variety of exploits targeting a multitude of WordPress plugins are great information mines for developers looking to proactively avoid attacks.
Watch this space!