Thankfully, March was a quieter month for WordPress security than February. But if you manage WordPress sites, there are still a few things to be aware of to make sure your sites stay secure.
- WordPress Security Release
- The Biggest Security Problem in WordPress
- GoDaddy Hosting Compromise Backdoors WordPress Sites
- Plugin Vulnerabilities
WordPress 5.9.2 – Security Update
Earlier this month, WordPress released a new version to patch 3 security holes. This newest WordPress version, 5.9.2, fixes three vulnerabilities – one high- and two medium-severity.
The high-severity vulnerability allowed low-permission users to insert malicious code into posts. The medium-severity vulnerabilities allowed attackers to execute code in a user’s browser if they could trick the user into clicking a special link.
While the primary danger of these is to site users (not site owners), sites with malicious code are often blacklisted by search engines. Leaving these vulnerabilities in place could potentially lower your Google rankings.
While many websites were automatically updated, make sure any sites you manage are up-to-date.
The Big WordPress Security Problem
While I post monthly on security vulnerabilities, it’s important to realize that WordPress as a whole is incredibly secure. WordPress runs about 43% of all websites. That’s taking into account every single website online, not only popular sites or blogs.
That’s millions of sites using the same (or similar) code, making WordPress a tempting target. After all, if you can find a major vulnerability in WordPress, you can potentially hack into millions of sites. Or sell that vulnerability for thousands of dollars (or more likely rubles).
So what is the big WordPress security problem? In a word, plugins.
WordPress was designed to be both flexible and easy to use. That design idea has led to an incredible marketplace of 3rd-party plugins. These plugins allow a site administrator with little or no knowledge to add all sorts of functionality to their site.
However, while the WordPress team is full of professional coders, many creators of 3rd-party plugins are not. While they may mean well, a poorly-designed plugin can cause all sorts of security issues.
A paper by cybersecurity company PatchStack on the State of WordPress security found:
- Of known vulnerabilities to WordPress, 99.42% of them came from insecure themes and plugins. Only 0.58% of vulnerabilities came from the core WordPress codebase.
- There has been a 150% increase in the number of vulnerabilities reported from 2020 to 2021.
- A whopping 29% of WordPress plugins with known critical vulnerabilities received no patch. These are installed on sites that are (and will likely always continue to be) compromised (or potentially compromised). These sites simply can’t be trusted – but users of these sites will be unaware of the danger.
- Of all the businesses analyzed, 28% had a budget of $0 for website security. An additional 27% had a monthly budget of $1-3.
These first and last statistics are telling.
WordPress – without plugins – might be some of the most secure software in common use today. While with plugins you are basically rolling the dice with security, and hoping to get lucky.
Additionally, while not every business makes money directly through its website, I’m willing to bet some of these interviewed businesses do. I’m also willing to bet those businesses take steps to secure their physical premises. Since it’s much harder to physically break into a building (you have to have physical access, for starters), it’s shocking that they don’t take the same basic precautions with their internet-connected storefronts (which can be accessed by anyone in the world).
This is one reason why one of my primary goals in building and redesigning sites is to eliminate unnecessary plugins. Every single new plugin or theme you install is an additional risk to your site. Both in terms of security and performance.
GoDaddy Hosting Compromise
Speaking of risk to your site, if you’re on GoDaddy hosting, you may have had a backdoor inserted into your site recently. This warning also applies to GoDaddy resellers (MediaTemple, tsoHost, Domain Factory, etc.).
WordFence reported a large number of WordPress sites were all infected by the same backdoor at almost the same time. All these had one thing in common – they were hosted on GoDaddy’s Managed WordPress service.
The specific backdoor infection (which has been around since 2015) is designed to poison Google search results for the infected site. It also attempts to redirect or trick visitors of a site to visit spam domains instead of the website that they were intending to visit. This kind of attack can damage a site’s reputation, potentially lowering its position in Google and other search engines due to spammy and malicious behavior.
While it’s unclear at the moment how this kind of attack happened, it seems likely that it’s a supply-chain attack. Not only were all the sites hosted at the same place, but GoDaddy reported unauthorized access to its Managed WordPress in November of 2021.
If you’re responsible for a site on GoDaddy’s Managed Hosting, read the full WordFence article to find out how to tell if you’ve been infected.
Fortunately, there was only one major plugin vulnerability disclosed this month.
Photoswipe Masonry Gallery
This plugin is designed to help WordPress users create better-looking galleries that still use the default WordPress gallery builder (for ease of use).
A vulnerability in the way that the plugin accessed administrative privileges could allow an attacker to inject malicious code into certain areas of the site, which would then be executed if a valid site administrator accessed the Photoswipe settings page. The malicious code could either redirect site visitors to malicious pages or create new administrators for a site, thereby causing a site takeover.
If you’re using this plugin, make sure you’re updated to at least the version below.
- Photoswipe Masonry Gallery: 1.2.15
Want to see more WordPress security news? You can find past entries here.