Vulnerabilities / Threats // Vulnerability Management
3/10/2015
07:30 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

Lack of WordPress User Education Affecting Security Posture

Survey shows many users lack knowledge to effectively protect their sites.

It's no wonder that WordPress continues to be one of the most hacked CMS platforms online—the sheer numbers of sites powered by WordPress make it logical. But a new survey out today shows that a lack of training and security practices among WordPress users may also contribute to the problem. It showed that many WordPress users also tend to avoid hiring a professional administrator and are themselves only lightly trained in how to run the content management system.  

Based on a survey conducted by CodeGuard of 503 WordPress users, 44 percent of respondents don't employ a website or IT manager. And fewer than one-quarter of users have received extensive training in the use of WordPress. Unsurprisingly, just a little over half of these users report that they regularly update their WordPress platforms and 69 percent have had a plugin fail after an update.

According to market data from W3Techs, 23.5 percent of websites today use WordPress to power their backend. That's head and shoulders above the next runner-up, Joomla, which has about 10 times less usage, with a 2.9 percent market share. WordPress is an attractive target for attackers. A report from Imperva out last fall showed that WordPress sites were attacked 24.1 percent more than websites running on all other CMS platforms combined and that it suffers 60 percent more cross-site scripting incidents then all other CMS-backed sites combined.

According to security researchers, the vast majority of WordPress-related—and other CMS-related—security problems arise through vulnerabilities in plugins. To date, WordPress features 36,547 different plugins available for download. It’s a huge attack surface, and one which poses problems frequently. For example, just yesterday, the security team at Sucuri released an advisory about the MainWP Child plugin that affects 90,000 WordPress sites using it as an admin tool that allows for easy remote exploitation, resulting in password bypass and privilege escalation. Meanwhile, just last month, Sucuri found a different plugin, WP-Slimstat, left 1.3 million sites vulnerable to SQL injection attacks.

In order to avoid attacks against these types of vulnerabilities, website owners are going to need to do a better job educating themselves about the risks, says Tony Perez, co-founder and CEO of Sucuri.

"I’s easy to feel overwhelmed by some of this information, but it is our belief that the best tool you have at your disposal as a website owner is knowledge," he says. "Driving your head into the proverbial sand does not make these things disappear; it simply amplifies the impact if and when any of these attacks affect you directly."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
xmarksthespot
50%
50%
xmarksthespot,
User Rank: Strategist
3/15/2015 | 3:43:27 AM
Exploits against Wordpress-a quick look
I like the functionality of the wordpress software and use their website for a security blog.  However, I would be remiss in my duties as a security professional if I failed to mention my high concern for the quantity of exploits I see in history for this product.

I went to the Exploit Db, a site which has proven exploits available for penetration testing.  I see a few dozen pages worth of exploits between what I would say is its inception, and the vast majority of which are confirmed.   By most standards that's a large number of proven exploits.  Granted, a properly patched system is not susceptible to most, if not all of those.  Checks for patches would have to be done a very regular basis, though.

If I was running a Wordpress site, I would be huge on keeping that system patched (automatic updates if possible).  I also remember reading a couple months back that a lot of the issues are with plugins.  Me, I'd stay away from them.  A quick scan of the Exploit DB list shows many are plugin-related exploits.

Security Focus is another good site.  That'll should vulnerability information with sample programs and if patches are available.  Very neat stuff.

Stay safe! Andy
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/12/2015 | 4:20:13 PM
Re: Treat web services like any system in the enterprise
Totally agree with you @aws0513,.While there are undoubtedly some rogue enterprise-class departments that set up their own Wordpress blogs and such, the majority of users are most likely small  businesses or individuals who have little experience about defending against security threats.Wordpress and other similar platforms should be doing more.Whether it's training, service packages or baking more protections into the product, or all of the above... I'm not sure.
aws0513
50%
50%
aws0513,
User Rank: Ninja
3/12/2015 | 1:15:40 PM
Re: Treat web services like any system in the enterprise
You are correct Marilyn. 

What services like WordPress provide is an easy to implement solution platform... with just enough rope to hang a neophite with.

It is my belief the biggest cause of issues here would be small businesses that may not have the budget or resources to securely manage web services.  Many of them may be startups where only a handful of people are involved.  Small businesses see services like WordPress as an efficient solution that doesn't require an large amount of support overhead.

One has to wonder if the service providers should be providing guidance and training to customers as part of the service package.  Some service providers do have online training, but how much that training may cover in terms of security practices may vary greatly.

Wordpress just happens to be the big guy on the block.  This translates into more customers that can cause more issues with the service.  It is my opinion that other similar services may have similar security issues but these have not bubbled up because there are fewer customers.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/12/2015 | 11:27:26 AM
Re: Treat web services like any system in the enterprise
aws0513, your points are well-taken. But given that 44 percent of respondents to the survey don't have a website or IT manager, & 3/4 of them don't have any training in WordPress that enterprise users aren't the real problem.Or am i missiing something?

 
aws0513
50%
50%
aws0513,
User Rank: Ninja
3/11/2015 | 11:09:01 AM
Treat web services like any system in the enterprise
If your organization is using a web service of any kind, it should be handled as if it were an in house solution.
  • What purpose will the web service fullfill?
  • Will regulatory data be posted/stored on the service site?
  • If regulatory data is involved, will the service vendor attest to the location of the service systems and the protections provided to those environments (physical and logical)? Example: If the regulatory data falls under HIPAA, the systems cannot exist outside CONUS?
  • Who will "own" the service on behalf of the organization?
  • Who will maintain the service on behalf of the owner?  Are those people properly trained on how to maintain the environment in a responsible and secure manner?
  • Who will be the stewards of the service in terms of utilization standards and oversight?
  • How will access control to the environment be managed?
  • Is there any separation of duties concerns and/or capabilities with the service to help mitigate internal security risks?
  • Who will manage access control?  Are those people properly trained on the access control processes necessary to mitigate risks?
  • What contingency plans are needed to deal with loss of the service?
  • What documentation processes are necessary?  Who will be responsible for the documentation?
  • What auditing capabilities does the service provide?
  • What liability would the organization have if the service is compromised in any way?  What capabilities will the organization have to conduct investigation of incidents?
  • If there is a publicly accessible portion of the service, how can public relations functions in the organization manage public release activities in the service?
  • Has management accepted any risks identified with the organizations use of the services?

This is just a quick off the cuff list.
I am sure there are many other questions that could be developed in this effort. 
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
3/11/2015 | 6:53:25 AM
IT guy
I work with a few Wordpress sites and thankfully there's always someone around to ask if there's a potential problem. I'm glad I'm not managing them though as security headaches are not my cup of tea at all. 

Still, I make sure to practice good security for my end of things and have a monster of a difficult password for each of them. 
gszathmari
50%
50%
gszathmari,
User Rank: Apprentice
3/11/2015 | 5:58:06 AM
WordPress itself can be vulnerable too
WordPress also has its vulnerabilities from time to time. In last November, a critical cross-site scripting vulnerability affected WordPress sites, which could enable anonymous users to compromise a site. 

This article demonstrates a practical exploit of this vulnerability. Be sure you update to 4.0.1, 3.9.3, 3.8.5, or 3.7.5 to keep everything secure.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.