An interesting article from Security Week crossed my monitor today (18 June). It seems that a developer of code analysis tools ran its scanner on the top 50 WordPress plugins (by number of downloads). The vendor, CheckMarx, discovered vulnerabilities in 18 of the top 50 plugins. Seven of the top ten e-commerce plugins for WordPress had security issues.
If you work with WordPress, you know that a plugin is a “helper” program that can be added to a WordPress installation to perform some function that WordPress does not do. Plugins are a real strength for WordPress and most other Content Management Systems (CMS). They extend the capabilities of the base code, allowing a website owner to customize his/her website with little technical knowledge. Literally thousands of Plugins are available for download on WordPress.org for free (some have a free version and a more capable paid version).
The important point here is that WordPress plugins on wordpress.org are not coded or guaranteed by WordPress. Quality standards and support can vary greatly, and blog owners learn quickly that they may need to abandon one plugin and get a similar one with better capabilities. Site owners often adopt a strategy of downloading only the most popular plugins under the assumptions that most of the bugs have already been found by others. However, security vulnerabilities don’t usually manifest themselves as “bugs” that cause the software to malfunction (bomb), so they can lie hidden for years, especially in older code that has been re-used in multiple versions.
So, although the news from Security Week/Checkmarx was a little scary, as it involved the 50 most popular plugins, I wasn’t really all that surprised that vulnerabilities existed. What WAS surprising was the nature of the vulnerabilities. The top two listed were two old enemies, SQL injection and cross-site scripting. The cure for both of these has been known for years; never trust anything you got from a browser, all data going into the database must be cleaned. The problem is, you have to be relentless about it. Missing even one time exposes your code. Some of these plugins have been around for awhile. You get the picture. Even though everyone knows what to do about this, sometimes they don’t do it.
If you run WordPress, should you be worried? No. Concerned? Yes, always. I’ll explain.
Let’s deal with the e-commerce issue first, as you folks are probably closest to panic. The majority of e-commerce plugins on smaller websites pass the price, quantity and amount to a payment gateway when the customer hits BUY. The payment gateway handles the transaction. So the WordPress site never handles the credit card data. The worst a hacker can probably do is ensure that your vintage Barbie Doll website now sells fuzzy handcuffs. Don’t know if your site keeps credit card data? This is something you should find out before the end of this week. Seriously. The biggest security vulnerability is ignorance.
Now, for the rest of you, let’s remember that the kind of hacking that could take advantage of these vulnerabilities is a real skill, and it usually takes time to hack a site. So it has to be worth it (unless someone really does not like you) to the hacker. As I detailed in a previous post, it is much easier to send a bot to guess your lousy password. So, stick with the program we always preach, have good passwords, Never post as Admin, log on as Admin regularly and accept all updates, INCLUDING your plugin updates. Pay attention to your site. Make it tough on the hackers, they will probably go someplace else.