Poor updating and sometimes no updating is leaving large numbers of WordPress websites open to exploitation in cybercriminal campaigns, an analysis by specialist UK security consultancies WP WhiteSecurity and EnableSecurity has found.
The study of 42,106 WordPress sites listed in Alexa's top one million in a three-day period earlier this month, found that an astonishing 74 versions of the software in use, only 18.5 percent of which had updated to the latest version, 3.6.1.
Given that the study was carried out on 12 September, only one day after this was released, that is not a complete surprise but the prevalence of older versions is still stark. A total of 6,859 sites were using version 3.5.1 (suffering eight vulnerabilities), 2,204 were using version 3.4.2 (12 vulnerabilities), and 1,655 using version 3.5 (10 vulnerabilities).
"This means that 73.2% of the most popular WordPress installations are vulnerable to vulnerabilities which can be detected using free automated tools," said WhiteSecurity.
"It takes a malicious attacker only a couple of minutes to run automated tools that can discover such vulnerabilities and exploit them."
Part of the problem is the turnover of new versions as vulnerabilities are discovered, beyond the attention span of some users to keep applying. Others might also be reluctant to update in case it breaks websites or interferes with plugins. Too many do not secure blogs with strong enough passwords.
The need for better updating and security has been brought home by news that a large botnet has reportedly compromised high-profile WordPress sites, including Mercury Science and Policy at MIT, National Endowment for the Arts (arts.gov), The Pennsylvania State University and Stevens Institute of Technology, to launch further attacks.
This in turn might be connected to a high-profile brute force attack on sites using the platform in April, which was interpreted as a preparation for future attacks. The botnet appears to have gained access to some sites by exploiting software flaws, using these to compromise the credentials of better-secured sites to boost DDoS attacks.
The regularity of such campaigns seem to be the new norm, not only against WordPress but rivals Joomla and Drupal too.
"WordPress servers have become just another easy target for the nation-State supported hackers, electronic armies and technical extremists that happen to wake up on the wrong side of the bed on any given day," argued Corero Network Security's chief security evangelist, Stephen Gates.
"It's a case of simple math. If you wanted to build a botnet that could generate 100Gbps of attack traffic using older computers sitting behind DSL modems and each machine could generate a modest 1Mbps of attack traffic, how many bots would you need to generate 100Gbps of traffic? The answer is 100,000 machines.
If you instead infected a large numbers of servers sitting in hosting environments and each server could generate 1Gbps of attack traffic (which most servers today could easily perform) how many would you need to generate 100Gbps of traffic? The answer is simple - 100 machines. That's a very small botnet with some serious horsepower," he said.
Given the sheer size of the botnets being fueled by these attacks, the potential to create DDoS monster was obvious, he said.
A Trend Micro analysis earlier this month put some figures on the scale of what has been happening, with one backdoor campaign compromising as many as 100,000 domains in a single week.