As one of the most popular content management systems, WordPress has security vulnerabilities in its extensions that threaten many websites.
Wordfence researchers have find that attacks on WordPress websites come from a variety of IPs, some of which are relating to hosting providers.
However, after the news of the vulnerability was release, many IPs stop their malicious operations. Mike Webenstra of Wordfence Researchers explained in a blog post that most attacks on WordPress websites start from an IP address:
The target IP is 188.8.131.52, which is own by Rackspace servers and many victim websites are support. We contacted Rackspace and described the threat to them. We hope to implement a solution as soon as possible to prevent similar attacks through these servers. We haven’t received a response yet.
WordPress Plugins Vulnerability
The attacks, discovered by a team of researchers, exploit the known vulnerabilities in WordPress plugins. Among the most popular are the nd-booking, nd-travel and nd-learning extensions from NicDark.
Initial research on the cybercrime campaign shows that malicious scripts were injects into the website. Scripts create redirect or pop-up addresses for the user who visits the victim’s website. A deeper examination showed that another script was installed for backdoor installation on the website during the attack.
Finally, like most security research, anti-infiltration strategies were develop by the team of researchers. The following statement reads:
As always, updating WordPress plugins and themes provides the best layer of security against cybercriminals. Regularly check for updates on your website and make sure you get the latest security patches.
How to avoid getting hack due to vulnerable WordPress plugins
I’m a huge WordPress fan because it’s a very powerful, effective, and amazingly extensible platform which is why it’s used by 60.4% of [websites with identifiable content management systems which amounts to] 23.7% of all websites. But there’s a risk with any platform that’s extensible trough the use of third party software (called “plugins” in WordPress): That risk is from software vulnerabilities.
Part of the reason for these vulnerabilities is that WordPress is fairly complex so interactions with plugins can produce unwanted and occasionally dangerous security issues.
The other major reason is that the coding practices of third parties can be inadequate so dumb vulnerabilities such as buffer overflows and SQL injections can be part and parcel of some “must have” feature added by a plugin.
For a summary of current WordPress vulnerabilities check out the WPScan Vulnerability Database, a “black box WordPress vulnerability scanner.”
If you’re running a WordPress site and give the number of potentially show-stopping problems that exist,
get fixed, and are replaces with new problems that are just as bad then you need to be on top of what plugins you’re using and what problems they might have.
Rather than scanning through loads of vulnerability notices and
checking each plugin’s Web site for news there’s not only WPScan,
there’s also a free plugin that check the plugins you use for known issues.
It’s called Plugin Vulnerabilities and published by WhiteFirDesign.
The publishers also offer another free plugin, Automatic Plugin Updates that, as its name implies, will update your plugins automatically as new versions become available (you can also set up an “ignore” list to exclude specific plugins from automatic updates).
When you activate Plugin Vulnerabilities, all of your other plugins are examine and check against WhiteFirDesign’s database of vulnerabilities. They’re also recheck whenever a plugin in manually update or an update execute by the Automatic Plugin Updates or by any other method.
WhiteFirDesign’s vulnerability stats were, as of April 6:
- 257 vulnerabilities included
- 61 included vulnerabilities are in the most recent version of plugins (57 of these plugins have been remove from the Plugin Directory)
- 24 vulnerabilities have been fix in part due to our work on this plugin
- 5 include vulnerabilities in security plugins
- Top vulnerability types:
- cross-site request forgery (CSRF)/cross-site scripting (XSS): 52 vulnerabilities
- reflected cross-site scripting (XSS): 45 vulnerabilities
- arbitrary file upload: 45 vulnerabilities
- arbitrary file viewing: 23 vulnerabilities
- SQL injection: 16 vulnerabilities
If a problem is discover and you’ve enables the feature, Plugin Vulnerabilities will send you a warning email as well as warn you on the Plugin Vulnerabilities control panel page and the general Plugins page.