Security research and news reports over the past few months are uncovering an increasing number of weaknesses within, and attacks against, the most popular content management systems (CMSs) driving today's typical web properties. Whether it be WordPress, Joomla, or Drupal, these platforms have all been subject to some high-profile flaws and hacks of late, with most of them coming, not from their core code, but from the third-party plug-ins that most administrators use to extend the customization of their sites.
As the far-and-away front-runner in installs, it's only logical that WordPress has garnered the lion's share of attacks. According to a report out last week by Imperva, websites running WordPress were attacked 24 percent more than websites running on all other CMS platforms combined. This is unsurprising, considering that WordPress is run on more than 75 million sites as of February of this year, compared to Drupal's second place with just over 1 million sites. But that doesn't mean that WordPress is necessarily any less secure than other platforms.
"Because it is popular, people investigate WordPress more, and when researchers investigate it more they find more vulnerabilities," says Itsik Mantin, director of security research for Imperva. "If you are using a different platform or just building your own applications, then it is possible you are vulnerable but you don't know it. So you feel more secure, but it doesn't necessarily mean you are indeed more secure."
In fact, the security community often has praise for the developers at Automatic who shepherd the WordPress code base. Ryan Dewhurst, an independent penetration tester and researcher, recently released WPScan Vulnerability Database, a comprehensive database of WordPress vulnerabilities he's collected information about over the years. In spite of his experience cataloguing these flaws, he's got nothing but positive things to say about the WordPress development team.
"WordPress has been around for a long time, and during that time they've had the chance to patch a lot of vulnerabilities and change the way that they develop software in a secure manner," Dewhurst says. "They've got a great team that knows what they're doing, and even though vulnerabilities are still found in WordPress, it is less common for them to be found in their core code."
As he explains, the big problem with vulnerabilities usually comes by way of plug-ins and themes, which are typically written by third-party developers. "This is where you find the most severe vulnerabilities, because these developers have varying degrees of experience within development and security."
On top of that, the attack surface is huge. According to Automatic, the WordPress community has written 33,581 different plug-ins and counting. And it isn't just WordPress that faces the problem of plug-in flaws. This is a universal issue for CMS platforms.
"One of the things that characterizes CMS frameworks is that all the major ones are open-source and are extensible in a way that people tend to add plug-ins, extensions, and modules," Imperva's Mantin says. "It is very hard to control such a large number of plug-ins written by so many different people."
That is why the reports of vulnerabilities, proof-of-concepts and malicious hacks keep rolling in about CMS frameworks. For example, this summer approximately 50,000 sites were hacked using a vulnerability in the MailPoet Newsletters plug-in for WordPress, which provided an opening to inject PHP backdoors onto the sites, according to researchers with Sucuri. And while MailPoet patched that hole, Sucuri reported last week that unpatched versions of the plug-in are still providing a field day for attackers to compromise, not only the affected site, but any other website under the same account.
More recently, in September, more than 60,000 sites were affected by a cross-site scripting vulnerability in a spam and content moderation module for Drupal called Mollum. The flaw would enable attackers to gain admin access to vulnerable sites. Similarly, last month researchers with Sucuri reported a vulnerability in the VirtueMart extension of Joomla that would give attackers full control of an affected site and database.
The difficulty is that plug-ins are somewhat "unavoidable," says Ilia Kolochenko, CEO of High-Tech Bridge.
"People will always want some specific customized features on their websites that no CMS can provide by default," he says. "Of course from time to time new vulnerabilities in major CMS [platforms] are announced, but they represent the vast minority and are usually quite complex to exploit."
The moral of the story is that organizations must not only be vigilant about updating the CMS framework itself, but also all of the plug-ins used to build out a site. In the same vein, for organizations with a smaller risk appetite, it may make sense to scrutinize which plug-ins and modules are used. Those released by amateurs unlikely to update them may need to hit the virtual dustbin, while others supported by larger development firms may be a safer bet.