WordPress plugin vulnerabilities are a hackers playground

What do TechCrunch, BBC America, PlayStation and MTV News all have in common?

Each of their websites is powered by WordPress.

Over 74.6 million, or roughly 30 percent, of the world’s websites, depend on WordPress to power their online platforms. Every second there are over six new WordPress.com posts and over 47,000 plugins, with the number growing daily. While the plugins and many features of the platform allow companies to present their content in an informative and creative matter, there are several dangers involved.

Recently, news broke that hackers were exploiting a critical vulnerability in WordPress plugin Simple Social Buttons. The vulnerability allowed privilege escalation so that non-admins could take over administrator accounts or even whole websites. The official WordPress Plugins repository said this plugin was installed on more than 40,000 different websites.

Unfortunately, this is not the first reported vulnerability in a WordPress plugin. In December of 2018, there were seven different issues that allowed hackers to obtain access to a site. Companies who did not update to WordPress versions 4.9.9 or 5.0.1 after the defects were announced were left vulnerable.

Some other recent Wordpress vulnerabilities:

• Authenticated File Delete - which allowed authors the opportunity to alter data to delete files they were not supposed to have access to
• Authenticated Post Type Bypass - which allowed individuals to create posts of unauthorized post types with specially crafted input
• User Activation Screen Search Engine Indexing - which exposed emails and default-generated passwords to search engines

Each of these WordPress vulnerabilities, but especially this latest one, emphasize the challenges and risks of using a large body of third-party maintained code. Methods to exploit these vulnerabilities are already available online, so it’s absolutely critical that all companies implement the patch distributed by the company immediately. If not, enterprises risk becoming the next major breach victim.

However, there are steps an organization can take to mitigate the risk of breaches prior to any patches or WordPress fixes.

5 tips to keep Wordpress from security hacks and vulnerabilities

1. Implementing web application firewalls (WAFs) or runtime application self-protection
   
   WAFs function by inspecting all traffic flowing to the web application for common attacks. By implementing these controls, businesses limit the likelihood of hackers successfully exploiting any vulnerabilities. Runtime application self-protection technology identifies and blocks any security threats to applications in real time, without any human intervention.
    
2. Using software composition analysis (SCA) to find vulnerable platforms and third-party libraries and add them to standard patch management (where possible)
   
   Ninety percent of code comes from an open source and third-party libraries. If an organization is using WordPress, it is important to verify that they have the latest version of a plug-in or code and they are free of security issues.
   
   The simplest ways WordPress users can protect themselves is by paying attention to any updates WordPress puts out and upgrading any software they are using that is outdated.  One way to do that is using SCA. SCA allows you to investigate the license of each component and identifies out-of-date libraries that should be upgraded or patched.
    
3. Prioritizing security training and education  
   
   The only way an organization’s cybersecurity team can successfully battle threats is if they are given the proper training to do so. By incorporating training and mentor programs, you are giving your team the tools to become prosperous cybersecurity professionals. In order to keep up with the latest in the cyber threat landscape, security teams can stay up to date with the latest information by:
   
   Compiling a list of reliable news sources
   Developing an internal method of tracked communication for the security team to share details on new vulnerabilities with engineering and operations teams
   Taking part in public forums with other security professionals from around the world
    
4. Continuous testing of applications and monitoring for updates
   
   The best way to find problems is to continuously monitor for them. Enterprises need to be going back and reviewing old issues so they can help prevent them from happening again. This can be accomplished through automated testing of the codebases (static application security testing) and automated testing of the application itself (dynamic application security testing).  In addition, professionals need to stay alert and learn about the newest in the threat landscape.
    
5. Implementing a DevSecOps process by making security testing a part of the entire lifecycle of an application
   
   With more entryways vulnerable to attack, the frequency of attacks has also increased. The term DevSecOps looks to integrate and open cross-functional organizational structures and communications to include application security throughout the software life cycle (SLC). This approach seeks to lower the number of vulnerabilities and increase efficiency for detection to time-to-fix rate.
    
6. As with anything on the internet today, using WordPress to power your website comes with several risks attached. However, by prioritizing cybersecurity across all of your applications, businesses will be able to protect themselves and avoid becoming the next victim exploited by a hacker.