WordPress sites stick with vulnerable versions despite worrying rise in attacks

Three quarters of sites vulnerable

Poor updating and sometimes no updating is leaving large numbers of WordPress websites open to exploitation in cybercriminal campaigns, an analysis by specialist UK security consultancies WP WhiteSecurity and EnableSecurity has found.

The study of 42,106 WordPress sites listed in Alexa's top one million in a three-day period earlier this month, found that an astonishing 74 versions of the software in use, only 18.5 percent of which had updated to the latest version, 3.6.1.

Given that the study was carried out on 12 September, only one day after this was released, that is not a complete surprise but the prevalence of older versions is still stark. A total of 6,859 sites were using version 3.5.1 (suffering eight vulnerabilities), 2,204 were using version 3.4.2 (12 vulnerabilities), and 1,655 using version 3.5 (10 vulnerabilities).

"This means that 73.2% of the most popular WordPress installations are vulnerable to vulnerabilities which can be detected using free automated tools," said WhiteSecurity.

"It takes a malicious attacker only a couple of minutes to run automated tools that can discover such vulnerabilities and exploit them."

Part of the problem is the turnover of new versions as vulnerabilities are discovered, beyond the attention span of some users to keep applying. Others might also be reluctant to update in case it breaks websites or interferes with plugins. Too many do not secure blogs with strong enough passwords.

The need for better updating and security has been brought home by news that a large botnet has reportedly compromised high-profile WordPress sites, including Mercury Science and Policy at MIT, National Endowment for the Arts (arts.gov), The Pennsylvania State University and Stevens Institute of Technology, to launch further attacks.

This in turn might be connected to a high-profile brute force attack on sites using the platform in April, which was interpreted as a preparation for future attacks. The botnet appears to have gained access to some sites by exploiting software flaws, using these to compromise the credentials of better-secured sites to boost DDoS attacks.

The regularity of such campaigns seem to be the new norm, not only against WordPress but rivals Joomla and Drupal too.

"WordPress servers have become just another easy target for the nation-State supported hackers, electronic armies and technical extremists that happen to wake up on the wrong side of the bed on any given day," argued Corero Network Security's chief security evangelist, Stephen Gates.

"It's a case of simple math. If you wanted to build a botnet that could generate 100Gbps of attack traffic using older computers sitting behind DSL modems and each machine could generate a modest 1Mbps of attack traffic, how many bots would you need to generate 100Gbps of traffic? The answer is 100,000 machines.

If you instead infected a large numbers of servers sitting in hosting environments and each server could generate 1Gbps of attack traffic (which most servers today could easily perform) how many would you need to generate 100Gbps of traffic? The answer is simple - 100 machines. That's a very small botnet with some serious horsepower," he said.

Given the sheer size of the botnets being fueled by these attacks, the potential to create DDoS monster was obvious, he said.

A Trend Micro analysis earlier this month put some figures on the scale of what has been happening, with one backdoor campaign compromising as many as 100,000 domains in a single week.

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal Techapplicationssecuritysoftware

More about MITTechnologyTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place