Open source blogging platform WordPress is, at the ripe old age of 11, the most popular blogging platform in the world. According to Forbes, it powered more than 60 million web sites as of September 2012, and has continued to grow since that time. Although it might have started out that way, WordPress has evolved into much more than just a blogging platform; it’s now a full-fledged content management system (CMS) as well.
Many companies and some individuals run their own WordPress servers, and many more individuals maintain their blogs on WordPress servers hosted by others or on WordPress.com, which offers free accounts that allow you to publish and manage multiple blogs. Like any other software, security vulnerabilities are found in the WordPress code from time to time and the WordPress.org site urges users running WordPress servers to keep the software up to date with the latest version. But it’s not just the WordPress software itself that you need to worry about.
One aspect of WordPress’s very full feature set is the ability to extend its features through the use of plug-ins, and the service boasts a database containing tens of thousands of such add-ons. It’s a popular way to expand a piece of software’s capabilities in ways desired by subsets of users, but just as with web browser extensions, plug-ins can pose a security risk.
Plug-ins are, after all, just additional programs that run in conjunction with the original program, and like any program, they can have security vulnerabilities. Because plug-ins often aren’t created by the vendor who makes the original program, in some cases there may be less quality control or simply less understanding of the original program and the effect the plug-in might have on it, security-wise.
Recently such a vulnerability was discovered in a popular WordPress plug-in, and according to reports it has already been exploited to the tune of as many of 50,000 web sites. As of July 24, attackers were actively targeting the flaw in the MailPoet Newsletters plug-in, even though a new version of it has been released and patches the hole.
The plug-in is used for creating newsletters and lets you easily put posts and images in a newsletter, format fonts and manage subscribers. Because it’s free and easy to use, it has become very popular with those who want a simple way to publish newsletters, garnering a 4.9 star rating (out of 5) on the WordPress.org web site.
The vulnerability is a serious one, as it can be used by an attacker to upload a file to a compromised web site (one hosted on a WordPress site with the MailPoet plug-in that hasn’t been patched) over a remote connection, with no authentication required. The attacker could upload any PHP file. PHP is a scripting language that runs on web servers. It was designed for creating dynamic web content but as with other scripting languages that are used to code executable files, an attacker can create a script that serves malicious purposes (for example, infecting site visitors with malware). The attacker can basically take control of the blog sites and turn it into a phishing/spam site.
Code execution plug-ins will always pose a certain degree of risk. If you have such plug-ins installed and you aren’t using them, they should be deleted as a best security practice.
Because of its popularity, WordPress is frequently targeted by attackers. WordPress.org has published, in the Support section, a lengthy document providing many tips (with detailed instructions) for hardening WordPress. Taking the time to make these changes can go a long way toward protecting your WordPress installation.