According to the latest data from the IBM X-Force team the reasons that WordPress sites are so open to attack are not exactly rocket science.
The WordPress platform pretty much dominates the content management system (CMS) driven web development market. The latest figures suggest it has a 60 percent share.
Cyber-criminals looking to host malicious content are drawn to legitimate sites, especially those that have been established for a while. WordPress often provides the entry point, or more accurately vulnerable and unpatched plugins do.
There have, according to IBM X-Force, been 238 releases of WordPress since May 2003, many of which addressed security issues. Yet five percent of sites had not updated to the latest version despite the previous versions having vulnerabilities being exploited in the wild. Despite WordPress having an automatic core update facility by default, it often gets turned off by site developers worried it could impact upon custom plugins and designs.
X-Force found that 68 percent of compromised hosts ran WordPress versions less than six months old, but only 40 percent a version less than 30 days old.
SC Media UK asked security professionals, and a long established web developer, about WordPress being a conduit to compromise and how that might be changed.
Jeffrey Tang, senior security researcher at Cylance, told SC Media UK that "as long as businesses treat IT as a cost centre instead of an operations investment, we're going to continue to see unpatched CMS installations because the costs and risk of running a vulnerable website are not clearly defined."
Ian Trump, head of security at ZoneFox, isn't pointing the finger of blame anywhere in particular on this occasion. "It's not that WordPress, Drupal or any one of a dozen or more CMS are inherently bad" Trump told us "but setting up a secure web server and keeping it secure is a different art form than simply securing a file and print server inside the firewall." In general, Trump explains, file and print and active directory servers don't face the full fury of the Internet; "however content management systems hosting external websites do and their attack surface is gigantic."
Mark Weir, regional director for UK&I at Fortinet agrees, telling SC "what this really comes down to is making the best choices and implementing the best practices you can within the constraints of your business." If organisations go down the WordPress road, they should consider using a web host with expertise in WordPress and/or dedicated WordPress monitoring services. "If they can host any CMS themselves or on a public cloud service" Weir concludes "that means they get complete control of the server, and allows them to deal with permissions the right way instead of using insecure workarounds."
Meanwhile Giovanni Vigna, CTO at Lastline, thinks that the biggest problem is with the "long tail of web sites that receive sporadic maintenance" and then become "prime targets for cyber-criminals as they have been around long enough that their domain has now a good reputation."
Javvad Malik, security advocate at AlienVault, reckons that the WordPress security model is not too dissimilar to the AWS' shared responsibility model; namely that "users lack the knowledge of what security aspects are their responsibility when it comes to maintaining WordPress." Which means that raising awareness amongst WordPress users has to be the first course of action if security is to improve. Malik continues "the second aspect would be to give the right tools in the hands of users so they can audit their site themselves."We will leave the last word to David Coveney, a director at interconnect/it which specialises in web design for large scale, high traffic sites. A WordPress consultant for many years, Coveney told SC that "Enterprise WordPress providers, whether ones through WordPress.com VIP or independents like ourselves tend to run very hardened servers as a matter of course, which mitigates against many of the vectors that can come in." Such hardening naturally includes very strict rules about plugins that can be used. He admits, however, that "the majority of WordPress site owners simply don't know better and probably never will.”