Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


WordPress Site Hacks Continue

70% of WordPress sites are running outdated software and are vulnerable to hackers launching DDoS attacks. Recent examples hit MIT, NEA and Penn State servers.

WordPress installations sporting known vulnerabilities continue to be compromised by hackers and turned into distributed denial of service (DDoS) launch pads.

That warning was sounded last week after IT professional Steven Veldkamp shared an intrusion prevention system (IPS) log with Hacker News, which found that a single 26-second DDoS attack against a site run by Veldkamp was launched from 569 different WordPress blogs. Those blogs appear to have been compromised by attackers, since they comprised everything from a "mercury science and policy" blog at the Massachusetts Institute of Technology (which as of press time remained offline) and a National Endowment for the Arts blog to WordPress sites run by Pennsylvania State University and Stevens Institute of Technology.

"The key aspect to note here is the number of compromised WordPress servers," said Stephen Gates, chief security evangelist at DDoS defense firm Corero Network Security, via email. "It's a simple mathematical equation -- attackers are looking to infect servers sitting in hosting environments with each server easily capable of generating 1 Gbps of attack traffic. It is quite easy to generate extremely high volumes and varieties of attack traffic by compromising just a few WordPress servers."

Once WordPress servers get compromised, attackers can use them for a variety of purposes, such as attacking U.S. financial institutions. "From volumetric attacks that melt down firewalls to the 'low and slow attacks' that sneak through firewalls undetected -- the list is really endless," Gates said.

[ Could crowdsourcing lead to a better security solution? Read Project Sonar Crowdsources A Better Bug Killer. ]

WordPress blogs, of course, are easy to provision and host. But that ease of installation -- and use -- means that such software is often run outside the purview of IT provisioning and oversight. Furthermore, many WordPress administrators fail to keep their software updated or follow security best practices, such as choosing unique usernames and strong passwords for WordPress admin accounts. As a result, numerous WordPress sites sporting known vulnerabilities -- or "admin" as the admin account name -- remain sitting ducks for automated attacks.

Indeed, malware is often used to automatically find and exploit vulnerable WordPress installations. In August, Matthew Bing, an Arbor Security Engineering & Response Team (ASERT) research analyst, noted that the Fort Disco malware -- first discovered in April 2013 -- was being used to target known vulnerabilities in content management systems, backed by six command-and-control servers that were running a botnet comprised of more than 25,000 Windows PCs. "To date, over 6,000 Joomla, WordPress and Datalife Engine installations have been the victims of password guessing," he said in a blog post.

How widespread is the problem of exploitable WordPress software? According to a study conducted by EnableSecurity CEO Sandro Gauci, the list of the one million most trafficked websites -- per the Alexa index -- includes 40,000 WordPress sites. But 70% of those sites are running a version of WordPress with known vulnerabilities.

Those statistics were relayed last week by WordPress security expert Robert Abela, who studied data that EnableSecurity's Gauci compiled over a four-day period in the middle of September, immediately following the September 11 release of WordPress 3.6.1, which remains the latest version.

In a blog post, Abela reported that of the 42,106 WordPress sites from the Alexa index identified, 19% had already been updated to the new version, while 31% of sites were still running the previous version (3.6). But the remaining 51% of cataloged WordPress sites ran one of 72 other versions, with 2% of all cataloged sites still running version 2.x, which dates from 2007 and earlier.

Needless to say, many historical WordPress updates have included patches for exploitable vulnerabilities. For example, the latest version of WordPress -- 3.6.1 -- patched a known vulnerability in version 3.6 that would have allowed an attacker to remotely execute code. Previous versions of WordPress have also sported a number of known bugs, including version 3.5.1 (8 vulnerabilities), 3.4.2 (12 vulnerabilities) and 3.3.1 (24 vulnerabilities).

All of this adds up to numerous WordPress sites that can be relatively easily hacked, based on a review of the top 10 most-seen versions of WordPress seen among the more than 40,000 counted by Gauci. "At least 30,823 WordPress websites out of 42,106 are vulnerable to exploitable vulnerabilities," said Abela. "This means that 73.2% of the most popular WordPress installations are vulnerable to vulnerabilities which can be detected using free automated tools. Considering the number of vulnerable WordPress installations out there, and the popularity of such websites, we are still surprised ... most of them haven't been hacked yet."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/15/2013 | 6:46:04 PM
re: WordPress Site Hacks Continue
Great article Mathew. The average small business owner does not have the time or staff do keep their WordPress websites up to date. That is why I created a complete WordPress monitoring and maintenance service called WP-MONITOR http://www.wp-monitor.com/ we we take care of all of these vulnerabilities on WordPress sites for the clients. Not only do we take care of the security, but we also provide Daily WordPress Backup, Plugin Updates, Uptime Monitoring, Traffic Reports, Broken Links reports, Security Scanning, Malware removal, Theme Changes, more features than any other WordPress Monitoring plan.
Eddie Mayan
Eddie Mayan,
User Rank: Apprentice
10/10/2013 | 9:18:46 AM
re: WordPress Site Hacks Continue
It is very necessary to update with security or get a very best option to try Managed wordpress service like Cloudways.
User Rank: Apprentice
10/1/2013 | 11:38:41 PM
re: WordPress Site Hacks Continue
I wonder what the NSA will make of my Pictures posted ( Altered Photos of Hitler performing Stupid Magic tricks and other Dada/Surrealist rants raves and absurdity, They'll probably think it's some Code for something and since I post my Beliefs as "Anarcho-Surrealist", which means Nothing. I mean the header of one of my blogs is " A Hobo with a Jar of Mustard", and the other is "How can I disturb your sense of Reality today?" Anyway, I think all American should set up a an Identical blog, that streams 24/7 webcam shots of Toasters, or Toilets, or the inside of an old boot in a ditch..
Joanie Mann
Joanie Mann,
User Rank: Apprentice
10/1/2013 | 8:48:54 PM
re: WordPress Site Hacks Continue
I agree with Mr Carr - get the site hosted by WordPress or another professional host that will ensure the software is kept up to date. Too many businesses try to take these responsibilities upon themselves, but don't really have the skills or resources to do it really well. The issue isn't just the vulnerabilities they introduce for their own businesses, it's the fact that they become effectively complicit in creating issues for others, too. While not as loathsome, it's rather like drunk driving, where the potential victim(s) is not likely to be only the driver.

Thomas Claburn
Thomas Claburn,
User Rank: Ninja
10/1/2013 | 8:09:15 PM
re: WordPress Site Hacks Continue
The fact that WordPress.com asked me to agree to its "fascinating terms of service" was almost enough to get me to sign up on the spot.
David F. Carr
David F. Carr,
User Rank: Apprentice
10/1/2013 | 4:16:46 PM
re: WordPress Site Hacks Continue
If you can't take responsibility for keeping the software up to date, consider whether hosting with WordPress.com is practical for your purposes. You can pay to upgrade from the free service to one associated with your domain and then let their webmonkeys worry about software patches.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-23
PingID Integration for Windows Login before 2.4.2 allows local users to gain privileges by modifying CefSharp.BrowserSubprocess.exe.
PUBLISHED: 2020-09-23
** UNSUPPORTED WHEN ASSIGNED ** peg-markdown 0.4.14 has a NULL pointer dereference in process_raw_blocks in markdown_lib.c. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
PUBLISHED: 2020-09-23
A vulnerability in the web management interface of Cisco Unity Connection could allow an authenticated remote attacker to overwrite files on the underlying filesystem. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted HTTP re...
PUBLISHED: 2020-09-23
A vulnerability in the email message scanning of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass configured filters on the device. The vulnerability is due to improper validation of incoming emails. An attacker could exploit t...
PUBLISHED: 2020-09-23
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (UCM) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based...