Failure to patch leaves many WordPress sites vulnerable
Poor updating and sometimes no updating is leaving large numbers of WordPress websites open to exploitation in cybercriminal campaigns, according to an analysis by WP WhiteSecurity and EnableSecurity, specialist security consultancies in the U.K.
The study of 42,106 WordPress sites listed in Alexa's top one million in a three-day period earlier this month, found that an astonishing 74 versions of the software in use, only 18.5 percent of which had updated to the latest version, 3.6.1.
The study was carried out on September 12, only one day after release of that newest version; but but the prevalence of older versions is still stark. A total of 6859 sites were using version 3.5.1 (which has eight documented vulnerabilities); 2204 were using version 3.4.2 (12 vulnerabilities); and 1655 were using version 3.5 (ten vulnerabilities).
"This means that 73.2 percent of the most popular WordPress installations are vulnerable to vulnerabilities which can be detected using free automated tools," the WhiteSecurity report states. "It takes a malicious attacker only a couple of minutes to run automated tools that can discover such vulnerabilities and exploit them."
Part of the problem is the turnover of new versions as vulnerabilities are discovered, which occur beyond the attention span of some users to keep applying. Others might also be reluctant to update in case it breaks websites or interferes with plug-ins. Too many do not secure blogs with strong enough passwords, the security consultants said.
The need for better updating and security has been brought home by news that a large botnet has reportedly compromised high-profile WordPress sites, including Mercury Science and Policy at MIT, National Endowment for the Arts (arts.gov), The Pennsylvania State University, and Stevens Institute of Technology, to launch further attacks.
This in turn might be connected to a high-profile brute force attack on sites using the platform in April, which was interpreted as a preparation for future attacks. The botnet appears to have gained access to some sites by exploiting software flaws, using these to compromise the credentials of better-secured sites to boost DDoS attacks.
Not the only culprit
The regularity of such campaigns seem to be the new norm, not only against WordPress but by rivals Joomla and Drupal, too.
"WordPress servers have become just another easy target for the nation-state-supported hackers, electronic armies and technical extremists that happen to wake up on the wrong side of the bed on any given day," said Stephen Gates, Corero Network Security's chief security evangelist.
"It's a case of simple math. If you wanted to build a botnet that could generate 100Gbps of attack traffic using older computers sitting behind DSL modems and each machine could generate a modest 1Mbps of attack traffic, how many bots would you need to generate 100Gbps of traffic? The answer is 100,000 machines," he said. "If you instead infected a large numbers of servers sitting in hosting environments and each server could generate 1Gbps of attack traffic (which most servers today could easily perform) how many would you need to generate 100Gbps of traffic? The answer is simple—100 machines. That's a very small botnet with some serious horsepower."
Given the sheer size of the botnets being fueled by these attacks, the potential to create DDoS monster was obvious, he said.
A Trend Micro analysis earlier this month put some figures on the scale of what has been happening, with one backdoor campaign compromising as many as 100,000 domains in a single week.