Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

07:30 PM
Connect Directly

Lack of WordPress User Education Affecting Security Posture

Survey shows many users lack knowledge to effectively protect their sites.

It's no wonder that WordPress continues to be one of the most hacked CMS platforms online—the sheer numbers of sites powered by WordPress make it logical. But a new survey out today shows that a lack of training and security practices among WordPress users may also contribute to the problem. It showed that many WordPress users also tend to avoid hiring a professional administrator and are themselves only lightly trained in how to run the content management system.  

Based on a survey conducted by CodeGuard of 503 WordPress users, 44 percent of respondents don't employ a website or IT manager. And fewer than one-quarter of users have received extensive training in the use of WordPress. Unsurprisingly, just a little over half of these users report that they regularly update their WordPress platforms and 69 percent have had a plugin fail after an update.

According to market data from W3Techs, 23.5 percent of websites today use WordPress to power their backend. That's head and shoulders above the next runner-up, Joomla, which has about 10 times less usage, with a 2.9 percent market share. WordPress is an attractive target for attackers. A report from Imperva out last fall showed that WordPress sites were attacked 24.1 percent more than websites running on all other CMS platforms combined and that it suffers 60 percent more cross-site scripting incidents then all other CMS-backed sites combined.

According to security researchers, the vast majority of WordPress-related—and other CMS-related—security problems arise through vulnerabilities in plugins. To date, WordPress features 36,547 different plugins available for download. It’s a huge attack surface, and one which poses problems frequently. For example, just yesterday, the security team at Sucuri released an advisory about the MainWP Child plugin that affects 90,000 WordPress sites using it as an admin tool that allows for easy remote exploitation, resulting in password bypass and privilege escalation. Meanwhile, just last month, Sucuri found a different plugin, WP-Slimstat, left 1.3 million sites vulnerable to SQL injection attacks.

In order to avoid attacks against these types of vulnerabilities, website owners are going to need to do a better job educating themselves about the risks, says Tony Perez, co-founder and CEO of Sucuri.

"I’s easy to feel overwhelmed by some of this information, but it is our belief that the best tool you have at your disposal as a website owner is knowledge," he says. "Driving your head into the proverbial sand does not make these things disappear; it simply amplifies the impact if and when any of these attacks affect you directly."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
3/15/2015 | 3:43:27 AM
Exploits against Wordpress-a quick look
I like the functionality of the wordpress software and use their website for a security blog.  However, I would be remiss in my duties as a security professional if I failed to mention my high concern for the quantity of exploits I see in history for this product.

I went to the Exploit Db, a site which has proven exploits available for penetration testing.  I see a few dozen pages worth of exploits between what I would say is its inception, and the vast majority of which are confirmed.   By most standards that's a large number of proven exploits.  Granted, a properly patched system is not susceptible to most, if not all of those.  Checks for patches would have to be done a very regular basis, though.

If I was running a Wordpress site, I would be huge on keeping that system patched (automatic updates if possible).  I also remember reading a couple months back that a lot of the issues are with plugins.  Me, I'd stay away from them.  A quick scan of the Exploit DB list shows many are plugin-related exploits.

Security Focus is another good site.  That'll should vulnerability information with sample programs and if patches are available.  Very neat stuff.

Stay safe! Andy
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
3/12/2015 | 4:20:13 PM
Re: Treat web services like any system in the enterprise
Totally agree with you @aws0513,.While there are undoubtedly some rogue enterprise-class departments that set up their own Wordpress blogs and such, the majority of users are most likely small  businesses or individuals who have little experience about defending against security threats.Wordpress and other similar platforms should be doing more.Whether it's training, service packages or baking more protections into the product, or all of the above... I'm not sure.
User Rank: Ninja
3/12/2015 | 1:15:40 PM
Re: Treat web services like any system in the enterprise
You are correct Marilyn. 

What services like WordPress provide is an easy to implement solution platform... with just enough rope to hang a neophite with.

It is my belief the biggest cause of issues here would be small businesses that may not have the budget or resources to securely manage web services.  Many of them may be startups where only a handful of people are involved.  Small businesses see services like WordPress as an efficient solution that doesn't require an large amount of support overhead.

One has to wonder if the service providers should be providing guidance and training to customers as part of the service package.  Some service providers do have online training, but how much that training may cover in terms of security practices may vary greatly.

Wordpress just happens to be the big guy on the block.  This translates into more customers that can cause more issues with the service.  It is my opinion that other similar services may have similar security issues but these have not bubbled up because there are fewer customers.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
3/12/2015 | 11:27:26 AM
Re: Treat web services like any system in the enterprise
aws0513, your points are well-taken. But given that 44 percent of respondents to the survey don't have a website or IT manager, & 3/4 of them don't have any training in WordPress that enterprise users aren't the real problem.Or am i missiing something?

User Rank: Ninja
3/11/2015 | 11:09:01 AM
Treat web services like any system in the enterprise
If your organization is using a web service of any kind, it should be handled as if it were an in house solution.
  • What purpose will the web service fullfill?
  • Will regulatory data be posted/stored on the service site?
  • If regulatory data is involved, will the service vendor attest to the location of the service systems and the protections provided to those environments (physical and logical)? Example: If the regulatory data falls under HIPAA, the systems cannot exist outside CONUS?
  • Who will "own" the service on behalf of the organization?
  • Who will maintain the service on behalf of the owner?  Are those people properly trained on how to maintain the environment in a responsible and secure manner?
  • Who will be the stewards of the service in terms of utilization standards and oversight?
  • How will access control to the environment be managed?
  • Is there any separation of duties concerns and/or capabilities with the service to help mitigate internal security risks?
  • Who will manage access control?  Are those people properly trained on the access control processes necessary to mitigate risks?
  • What contingency plans are needed to deal with loss of the service?
  • What documentation processes are necessary?  Who will be responsible for the documentation?
  • What auditing capabilities does the service provide?
  • What liability would the organization have if the service is compromised in any way?  What capabilities will the organization have to conduct investigation of incidents?
  • If there is a publicly accessible portion of the service, how can public relations functions in the organization manage public release activities in the service?
  • Has management accepted any risks identified with the organizations use of the services?

This is just a quick off the cuff list.
I am sure there are many other questions that could be developed in this effort. 
User Rank: Ninja
3/11/2015 | 6:53:25 AM
IT guy
I work with a few Wordpress sites and thankfully there's always someone around to ask if there's a potential problem. I'm glad I'm not managing them though as security headaches are not my cup of tea at all. 

Still, I make sure to practice good security for my end of things and have a monster of a difficult password for each of them. 
User Rank: Apprentice
3/11/2015 | 5:58:06 AM
WordPress itself can be vulnerable too
WordPress also has its vulnerabilities from time to time. In last November, a critical cross-site scripting vulnerability affected WordPress sites, which could enable anonymous users to compromise a site. 

This article demonstrates a practical exploit of this vulnerability. Be sure you update to 4.0.1, 3.9.3, 3.8.5, or 3.7.5 to keep everything secure.
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...