Unplug Those High Risk WordPress Plugins!

WordPress is a free and open source blogging tool based on PHP and MySQL that has evolved into a full content management system (CMS) with a plug-in architecture and a template system that extends its power and functions beyond basic expectations.

Because of its open source nature, one of the greatest benefits WordPress users enjoy is that hundreds of people all over the world are free to use it, work on it, and develop other products based on it that get plowed back into the WordPress marketplace and community. This has resulted in tens of thousands of plugins and themes flooding the market today. However, this freedom has also made WordPress a popular target for attacks, especially 3rd party plugins that fail to go through or pass coding standards and security guidance or requirements, making it vulnerable to hackers and malicious mass infections.

In a recent research conducted by Checkmarx, a security solutions provider using automated code analysis, it identified that more than 20% of the most popular WordPress plugins are vulnerable to web attacks.

According to the Report:

20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.

  • these plugins are vulnerable to: SQL Injection (SQLi), Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and Path Traversal (PT).

7 out of top 10 most popular e-commerce plugins are vulnerable to common Web attacks. This amounts to more than 1.7 million downloads of vulnerable e-commerce plugins.

There is no correlation between the number of Lines of Code (LOC) and the vulnerability level of the plugins.

  • the smaller the code does not necessarily mean the safer the code. On the contrary – some plugins that included only a few thousand lines of code contained more types of vulnerabilities than plugins containing tens of thousands lines of code.

Vulnerable top 50 general plugin types vary.

  • – e-commerce, feed aggregators, APIs, social network linking

Only six plugins were completely fixed in a 6-month time period – although all plugins updated their versions during this time.

  • A first scan ran in January 2013 showed a higher rate of vulnerable plugins where more than a third (18 out of 50) of the plugins were vulnerable. In total, this meant that nearly 18.5 million vulnerable plugins were downloaded. Vulnerabilities in that first scan also presented the existence of RFI/ LFI vulnerabilities.

Recommendations

WordPress plugin vulnerabilities affect three major parties: the web admins, the plugin developers, and WordPress itself. Below are some of the recommendations stated in the report.

For Web Admins

  • Download plugins only from reputable sources. For WordPress, this means WordPress.org
  • Verify the security posture of the plugin by scanning it for security issues
  • Ensure all your plugins are up to date
  • Remove any unused plugins

For Plugin Developers

  • Integrate security within the plugin development
  • Run the plugin through a code scanner to ensure that it stands up to a security standard

SMBs or simple home-based businesses that do not have a built-in or sophisticated IT department to go through all these checks and balances, run a high risk of vulnerability because of the great deal of trust they place in available 3rd party plugins (especially the free ones). Web administrators need to be more discerning and thorough in their research before installing any plugins on the sites they manage. Plugin developers need to be self-governed and abide by security coding best practices. As each one does his part, this ensures that the whole WordPress community stands to benefit in the end.