Wordpress is one of the most popular Web publishing platforms. The vast catalog of plugins is part of what makes Wordpress so powerful, but it can also be the Achilles heel. According to security researchers at Sucuri there are a million-plus Wordpress sites exposed to serious risk, thanks to a flaw in the WP-Slimstat plugin.
The Sucuri blog post explains, “During a routine audit for our WAF [Web application firewall], we discovered a security bug that an attacker could, by breaking the plugin’s weak “secret” key, use to perform a SQL Injection attack against the target website.”
The blog goes on to explain that a successful exploit could allow the attacker to access or download sensitive information like usernames, encrypted passwords, and possibly Wordpress secret keys. Armed with the Wordpress secret keys, the attacker would be able to hijack the entire Wordpress site.
Sucuri sums up by stressing, “This is a dangerous vulnerability, you should update all of your websites using this plugin as soon as possible.”
How much is a million?
Sucuri estimates that there are over a million Wordpress sites possibly at risk due to WP-Slimstat. That’s a large number but in the grand scheme of things it’s not that bad.
There are nearly 75 million Wordpress sites live on the Internet right now. Almost half of the Technorati Top 100 blogs run on Wordpress. The New York Times, CNN, and many other iconic Web destinations depend on Wordpress.
One of the primary benefits of the Wordpress platform is that there is almost guaranteed to be a plugin to do just about anything you can imagine doing on a website. There are almost 30,000 Wordpress plugins that have been downloaded a combined total of more than 286 million times. Against that massive backdrop, the one million or so vulnerable WP-Slimstat sites represent just over one percent of the total Wordpress base.
Be careful how you Wordpress
“The number one recommendation I can make with every WordPress install is to be absolutely sure that it isn’t hosted on a machine that has access to anything of value,” exclaimed Matt Johansen, senior manager of the Threat Research Center for WhiteHat Security. “Full stop. It is the Windows XP of the web and has a giant target on its back, front, and side.”
According to Johansen, plugins are a double-edged sword. They extend the features and capabilities of Wordpress, but almost anyone can write and publish a plugin. There’s no quality assurance and no vetting in place to ensure that the plugin works as advertised, and doesn’t contain any security flaws or malware. You have to do some homework and make sure you’re selecting plugins that are both functional and trusted.
Johansen said, “These boxes will get hacked and the best thing to do is make sure that if they do, that nothing but your blog is affected. Have backups so that you can just kill the infected machine and spin up a new blog ASAP.”
If you’re using the WP-Slimstat plugin you should follow Sucuri’s advice and update your Wordpress site as soon as possible. Regardless of whether you’re using the vulnerable plugin, this is a good time to take a look at the plugins you do have installed. Make sure they’re updated and remove any plugins that you don’t actively use.