According to a leading web vulnerability assessor, more than 70% of WordPress sites are vulnerable to hackers. Do you know for sure if your website is among them? Sure, you might be doing everything you can to keep your computer secure: you have antivirus for pc installed, you monitor your browsing habits… but can you say the same for your WordPress site?
Believe it or not, the plugins you use can dramatically affect the security of your WordPress website… and even though you might have done your due diligence and downloaded them from a reputable source, they might still have easily-exploitable issues which allow hackers in. A thorough test of the top 50 plugins from Checkmarx, a code-review firm, found that an astonishing 20% of the plugins they reviewed represented significant web-security risks.
Even worse? Seven out of the top ten most widely-used ecommerce plugins were among those considered vulnerable. And in total, these vulnerable plugins were installed approximately 8 million times.
In the past, similar vulnerabilities (like the TimThumb issue) were used to redirect wordpress websites to rogue malware sites. In the TimThumb case, 1.2 million websites were affected. And just because a plugin comes from a reputable source doesn’t mean it can’t be vulnerable: here’s a list of some extremely popular plugins which have had vulnerabilities exploited by hackers.
Extreme vulnerabilities have been discovered in Jetpack since 2013, and continue to be unearthed; even as late as October 2015, new discoveries about weaknesses have been unearthed. These often take the form of XSS vulnerabilities, which allow remote users to gain access to your website’s administrator area and privileges.
The Jetpack maintenance team has aggressively worked to update their plugin to maintain its safety, but there’s no such thing as absolutely secure. The fact that Jetpack is one of the most popular plugins also makes it a prime target for hackers.
Ninja Forms is a popular and beautifully-performing WordPress plugin to generate forms, but many flaws have been uncovered to date. From allowing cross-site scripting to exploitable conditions which can allow hackers to gain control of sensitive site information, this is a damaging blow when there are so many more secure form plugins out there.
One of the major ecommerce plugins affected by vulnerability, the WooCommerce plugin (at the time called the WP eCommerce plugin) had some critical-level security issues. Though they were corrected via update, there continue to be some known issues, including SQL injection weaknesses. WooCommerce is one of the largest ecommerce plugins available on WordPress, and currently has over 1 million installs.
Another premium plugin on hundreds of thousands of WordPress sites, Slider Revolution is another plugin which has had critical vulnerabilities exposed since 2013, and then again every year since. In 2014, hackers exploited this vulnerability to compromise hundreds of thousands of sites across almost all major hosting platforms. It allowed hackers to use the sites to serve up SoakSoak malware to visitors and webmasters.
Protecting Your Website
The vulnerabilities are out there, they’re exploitable, and as hackers become more complex and gain more access to greater computing power, it’s a certainty that there’s no absolutely, 100% unhackable system. How do you test your plugin for vulnerabilities? How can you protect your website?
You can use some web-based tools like HackerTarget or OWASP. But you can also download legitimate and authenticated security plugins for your website, utilize WordPress recommended safety practices (like locking your admin areas to specific IP addresses) and staying up to date with WordPress security updates, creating strong login credentials, and turn to your hosting provider for help.
Most hosting providers, in the cost of your hosting, will give you several web-security options for your website. You can also regularly update your PHP and MySQL databases to beef up your website’s security… which is just as important as updating your WordPress framework!