WordPress is an open-source blogging platform and content management system (CMS). Since its inception in 2003, WordPress has become widely used and is very active. It is made up of more than 200,000 lines of code (written mostly in the PHP scripting language) and is used by more than 64 million websites on the Internet. Although WordPress is considered a mature platform, regular updates address serious security vulnerabilities that may be used by an attacker targeting a WordPress site.
WordPress vulnerabilities are even more of a threat when combined with recent large-scale brute-force attacks targeting WordPress websites. These threats are important considerations if you host a website on wordpress.com or use the platform on a different host. If you use WordPress, have you taken steps to secure your installation? Basic security precautions, a strong password policy, and a regular update schedule can have multiple benefits:
- Helps ensure your system isn't compromised.
- Minimizes damage if a compromise does occur.
- Prevents your server from becoming part of a botnet used to launch further scans or attacks.
Vulnerabilities may be in WordPress core and plugins
Attackers commonly abuse third-party WordPress plugins containing vulnerabilities, as they may introduce additional security flaws into a WordPress installation. During the last weeks of April 2013, vulnerabilities affecting the WP Super Cache and W3TC WordPress plugins (related to caching and website optimization) gained attention. Successful exploitation of these critical flaws may allow an attacker to execute arbitrary PHP code on a vulnerable system. Updated versions of both plugins have been released and should be applied as soon as possible. Users should vet WordPress plugins carefully, and completely remove unwanted or unnecessary plugins. Searching The Exploit Database as illustrated in Figure 1 reveals a variety of exploits targeting a multitude of WordPress plugins.
Several exploits targeting WordPress are also included in the Metasploit exploitation framework. The existence of these exploit modules makes it easier for an unskilled attacker to launch attacks and underscores the importance of keeping WordPress up to date. Even without the use of plugins, the WordPress core has suffered from serious vulnerabilities. The following security vulnerabilities have been addressed by recent WordPress updates:
- Server-side request forgery (SSRF) and remote port scanning via pingbacks.
- Cross-site scripting (XSS) via shortcodes and post content.
- Cross-site scripting (XSS) in the external library Plupload.
- Fix unfiltered HTML capabilities in multisite.
- Fix possible privilege escalation in the Atom Publishing Protocol endpoint.
- Allow operations on network plugins only through the network admin.
- Hardening: Simplify error messages when uploads fail.
- Hardening: Validate a parameter passed to wp_get_object_terms().
- Privilege Escalation/XSS. Critical. Administrators and editors in multisite were accidentally allowed to use unfiltered_html for 3.4.0.
- CSRF. Additional CSRF protection in the customizer.
- Information Disclosure: Disclosure of post contents to authors and contributors (such as private or draft posts).
- Hardening: Deprecate wp_explain_nonce(), which could reveal unnecessary information.
- Hardening: Require a child theme to be activated with its intended parent only.
- Cross-Site Scripting: Fix persistent XSS via editable slug fields. (Also fixed in 3.4.0.)
- Hardening: Deprecate wp_explain_nonce(), which could reveal unnecessary information. (Also fixed in 3.4.1.)
- Hardening: Require a child theme to be activated with its intended parent only. (Also fixed in 3.4.1.)
- Information Disclosure: Restrict some post IDs when dealing with media uploading, which could leak some info (or attach media to a post the user doesn't have privileges to). (Also fixed in 3.4.0.)
- Information Disclosure: Hide post excerpts when the user cannot read the whole post (e.g., a contributor can't read someone else's draft beyond the title). (Also fixed in 3.4.0.)
- XSS Hardening: Escape the output of get_pagenum_link(). Note that this function was previously considered to have returned unescaped data, so this was not a vulnerability, but an enhancement. (Also fixed in 3.4.0.)
- CSRF Hardening: Prevent unfiltered HTML in comments when there is potential for clickjacking (i.e., when the front-end of the site is loaded in a frame). (Also fixed in 3.4.0.)
- Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances.
- Cross-site scripting vulnerability when making URLs clickable.
- Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs.
- Cross-site scripting (XSS).
To limit exposure to attacks, updated versions of WordPress should be tested and deployed as soon as possible. Without additional security controls, unpatched flaws may affect any WordPress site, regardless of which plugins may be installed.
Updating is important
A major WordPress version update is usually available every six months. Third-party plugins may be updated at any time. WordPress has the option to update itself automatically (see Figure 2), but this functionality may not always work. It may fail for a variety of reasons, such as plugin or database issues. Many organizations opt-out of automatic updates and manually deploy updated versions to perform additional testing. This patch and update schedule is virtually continuous and difficult to maintain, but it is necessary to maintain an acceptable level of security.
In April 2013, a large brute-force campaign targeting WordPress websites was observed. It is reported that a botnet consisting of more than 90,000 servers is being used to scan the Internet for WordPress websites and is attempting to log in to the Administrator's account using a list of commonly used passwords. Servers using simple passwords such as "123456" or "qwerty" would quickly fall victim to this attack. If an attacker successfully logs in, a backdoor is installed for future use. Compromised websites may then be used for other activities, such as scanning for more WordPress sites and participating in distributed denial of service (DDoS) attacks.
To protect against brute force attacks, use long passwords that include a combination of uppercase and lowercase characters as well as symbols (#$%^&@), and rename the Administrator's account to something other than "admin". By default, WordPress does not limit incorrect logins, which allows an attacker to make a large number of attempts in rapid succession. This ability increases the odds that an attacker will correctly guess the password. Several WordPress plugins limit the number of login attempts, but plugins themselves generally increase the attack surface an attacker has at his or her disposal, and may inadvertently allow access via other means.
WordPress users should follow the steps outlined in the Hardening WordPress guide for additional protections. Securing access to /wp-admin/ (Administrator's login area), using alternate database prefixes, securing wp-config.php and disabling file editing are recommended to mitigate effects of a potential attack.
Many hosting providers may supply customers with pre-installed versions of WordPress or similar software, which can quickly become outdated. Given the potential for harm in using outdated software, look for WordPress exploits to become more of an issue in the future, especially for shared hosting providers.
- W3TC and WP Super Cache Vulnerability Discovered, We've Automatically Patched." CloudFlare blog. April 24, 2013. http://blog.cloudflare.com/w3tc-and-wp-super-cache-vulnerability-discove-17794
- "Patching the Internet in Realtime: Fixing the Current WordPress Brute Force Attack." CloudFlare blog. April 11, 2013. http://blog.cloudflare.com/patching-the-internet-fixing-the-wordpress-br
- "WordPress Sites Targeted by Mass Brute-force Botnet Attack." US-CERT. April 15, 2013. http://www.us-cert.gov/ncas/current-activity/2013/04/15/WordPress-Sites-Targeted-Mass-Brute-force-Botnet-Attack
- "Alert (TA13-024A): Content Management Systems Security and Associated Risks." US-CERT. January 24, 2013. http://www.us-cert.gov/ncas/alerts/TA13-024A