PatchStack, a leader in WordPress security and threat intelligence has recently released a whitepaper outlining the state of security in WordPress in 2021. The paper identifies quite a few staggering statistics, and some that should serve as a wake-up call for WordPress SysAdmins.

Let’s quickly get the important details out of the way:

1. WordPress has be found to be the core content management system behind 43.2% of websites across the internet. Yeah. That’s up from 39.5% at the end of 2020 too.
2. Vulnerabilities from Plugins and Themes remain as one most common threats to WordPress websites, where only 0.58% of vulnerabilities regard the WordPress core itself!
3. In 2021, there has been a 150% growth in vulnerabilities compared to that of 2020.
4. Only 29% of WordPress Plugins actually receive a patch!

The PatchStack whitepaper contains a rather interesting and impressive analysis on WordPress security and I highly encourage you to read it if you’re a WordPress admin!

If anything, the take away from these points is to freaking take it easy with plugins!

Why WordPress

Whether it’s a simple blog, or a online store – 43% of the time it’s going to be WordPress at the core.

While WordPress remains as one of the most well balanced tools in terms of simplicity and capability, it’s frequent and ignorantly unpatched usage makes identified vulnerabilities of high value for threat actors.

WordPress provides over 59,000 plugins free to be installed by admins. Plugins, that are rapidly churned out with little oversight and maintenance in the hopes of turning a profit in donations and subscriptions.

A quick search online for a guide on how to do something on WordPress will show results plagued with adverts for plug-and-play style solutions. There’s a market for these kinds of solutions, and small businesses are willing to pay for their fancy websites.

Frequently New, Commonly Unpatched

PatchStack’s Whitepaper reports that in 2020, 96.22% of WordPress vulnerabilities pertained to the plugins and themes. In 2021, that statistic increased to 99.42%.

With over 59,000 plugins available on WordPress as of 2022, 29% of those with critical vulnerabilities reported received no update from their developers. Some plugins have been removed from the WordPress repository for failing to address security concerns.

Can’t happen to the big ones?

It can, while not quite as severe in most cases, the need for caution remains.

WordPress Plugin Elementor this year suffered a Remote Code Execution (RCE) vulnerability, a plugin that has over 5 million active installs according to WordPress.

PluginVulnerabilities posted an article regarding this RCE. Stating that through monitoring they identified a threat actor probing for the usage of the WordPress plugin Elementor, looking for /wp-content/plugins/elementor/readme.txt.

“What we immediately found was that plugin isn’t handling basic security right, as we found many functionalities where capabilities checks were missing where they shouldn’t. While some of those where not accessiblemyer to users that shouldn’t have access, we found at least one that is and the functionality accessible leads to one of the most serious types of vulnerabilities, remote code execution (RCE). That means that malicious code provided by the attacker can be run by the website.”

It was identified that this vulnerability has been addressed in version 3.6.4. Though I feel that PatchStack summarises the criticality of this vulnerability well.

“The widely popular WordPress website builder plugin Elementor, which has over 5 million active installations, has recently released version 3.6.3 which contains an important security fix. This vulnerability could allow any authenticated user, regardless of their authorisation, to upload arbitrary files to the site. The arbitrary file upload vulnerabiltity could allow someone to take over the entire site or perform remote code execution (RCE). Please updated immediately!“

Hat’s off to Elementor for pushing an update so quickly, with an active installation count as wide as theirs, you’d certainly hope to expect it. This isn’t always the case, especially with plugins that serve a more niche function.

Exploit Wednesday

Vulnerabilities with popular plugins and themes comes a wider-spread exploit attempt by threat actors. When a vulnerability becomes known, bots begin scanning the web for potential targets, particularly so once a patch has been released.

A similar thing occurs with Microsoft’s Patch Tuesday. MSFT releases patches for their products on the second Tuesday of each month. Unfortunately what follows is known as Exploit Wednesday, where threat actors have a short period of time to reverse engineer a patch to find the underlying exploit, and execute this on potential targets.

While WordPress and it’s nearly 60K plugins does not necessarily synchronise their patch releases, you can be sure that motivated threat actors are watching the update feeds, awaiting the next patch to reverse engineer.

The Advice

Stick with the most bare-bones WordPress installation and accept that as with most things – there is a trade-off between security, and capability or flexibility.

With a easily accessible database of WordPress vulnerabilities so clearly identified, there are hundreds of bots scanning random internet addresses, looking for WordPress based servers operating on TCP ports 80 and 443.

Once you’re identified as a WordPress site, the attempts at exploiting various known vulnerabilities does not stop.

Yes, that means dumping your Emoji Reaction Rating plugin, or the super cool Asteroids Widget that turns your website into a game of Asteroids (hasn’t been updated in 10 years as of writing this).

Do not use abandoned plugins. Use ones that are developed and scrutinised by reputable developers. Once a vulnenerability has been patched – update and update fast.

As Patchstack mentions, old vulnerabilities remain frequently targeted. Some with critical vulnerabilities that date back years, still actively targeted. The fix, simply, is to keep your s**t updated, or bin it.

While I thank the smaller developers for putting beautiful packages together, not everyone is perhaps security conscious, motivated or have enough time to put together security patches – sysadmins need to remain heavily cautious when installing additional plugins on their systems.

Sandbox and segment your web server from your network with firewalls, and take frequent backups so you can restore your site stress free if you do get breached.

Finally, you must be prepared for the worst. When exposing your servers to the internet, you must treat them as an extension of the internet and not your network, and by which I mean, assume they are no longer secure!

If your router supports it, put in place strong firewall rules that forbids web servers from chatting to each other or anywhere else on your network.

And if worst comes to worst, and your web server is breached. Be prepared with a backup! This way you can simply; Delete everything lol, restore from backup, remove the exploited plugin (if you know which one), Update your s**t, keep calm and continue WordPressing.