Two WordPress Plugin Bugs Expose Over One Million Sites
WordPress is the go-to CMS for most people looking to make their voices heard in the digital world. For a CMS powering up a quarter of the internet, it’s one fall from grace has always been the issue of security.
We have seen countless instances of irrelevant keyword attacks, spam linking, SQL injections, Brute-Force attacks, and, most recently, Malvertisers trying to ruin the WordPress experience for everyone.
But WordPress took a real hit just a few days ago when two of its most popular plugins were found with security vulnerabilities that have exposed millions of websites to hacks and exploitation.
WordPress researchers and security analysts, worried about this breach, urged the administrators at WordPress HQ to create a patch for the two breaches.
WordFence, a powerful security plugin for WordPress, says that through these vulnerabilities, hackers can trick users into clicking a dodgy link that might lead to a phishing attack on their site. Through the attack, they can also gain remote access to the site.
WordFence took the necessary steps and notified the plugin developer to make the changes. The firm released a patch a day later.
The worst part about this vulnerability was that it was found in a popular page builder plugin with users all around the world. Equipped with features like a live editor, the plugin promises to make the page creation and post-editing process easier. Moreover, it’s a plugin that’s “recommended” by most theme vendors when you install WordPress or the WooCommerce plugin. Suffice to say that the majority of those users were people with little to no knowledge of code.
While the plugin developers have managed to create patches for it, the breach itself has a Common Vulnerability Scoring System (CVSS) rating of 8.8. With such a high severity, analysts predict that the breach has the potential to affect future versions of the plugin.
Users are now being told to upgrade to the latest version of the plugin to stop the chances of getting infected with this threat.
To ensure security of the plugins, researchers have pointed out the following recommendations to follow:
- If there are any subscriber-level users on your site, remove them if you haven’t assigned them yourself.
- Remove any files with the title of “wp-xmlrpc.php.”
- Check to see any unknown files or folders in the plugins directory.
The Rise in WordPress Hacks
The news of this breach comes just a few days after WordFence detected a massive surge in the XSS-scripting attacks in several other WordPress plugins and themes. For their part, WordFence notified WordPress admins of this rise.
Over the past month, there has been a rise in WordPress attacks, with over 900k sites getting attacked from a total of 24k IP addresses. All of these, coming from the same organization of hackers.
Again, the goals of these hacks are to gain remote access to your WordPress site and plant malicious code onto it. WordFence also warns that the attacks may change over time as hackers try to exploit new vulnerabilities on WordPress.
Secure Your Site From Vulnerabilities
Besides the recommendations mentioned above, you can take the following WP security measures:
- Always choose a developer who considers best practices during WordPress development.
- Go for stronger passwords for your hosting as well as your WordPress account.
- Introduce Two-Factor authentication to your WordPress logins.
- Automatically Log out users who have been idle for some time.
- Secure your wp-admin and wp-config.php directories
- Use SSL for data encryption purposes.
- Add users to your site with care.
- Continuously monitor your audit logs.
Lastly, keep yourself aware of the latest WordPress security news. In the event a security breach does happen, you will be able to act on it quickly.