Almost Half the Internet Is a Cybersecurity Mess
Who hasn’t heard of WordPress? One of the most accessible and adaptable content management suites, it’s no surprise that WordPress powers roughly 43% of the websites on the internet. From blogging to eCommerce, whether monetized or not, WordPress helps millions of businesses generate revenue and connect with customers across the globe.
However, the sheer popularity of WordPress sites makes them a shining target for any cybercriminal. Whether that’s stealing credit card numbers, exfiltrating personally identifiable information, or constructing a backdoor for further malware, cybercriminals have been running amok and taking advantage of major vulnerabilities that could affect almost every single WordPress site.
To mitigate this threat, you need to remain update-alert and be fully clued in on what is a Web Application Firewall.
Update Procrastination: A Dangerous Habit
Many WordPress users fail to keep their sites adequately updated. Though there are a number of domain management solutions that automatically install and manage updates, these cost money. Many WordPress sites can be almost free to set up; though this is fantastic for when you’re just getting started, it has a tendency to make users financially complacent. Removing the prospect of automatic updates, it then falls totally to the site administrator to keep a site fully updated.
WordPress developers roll out updates every three months or so. Each release includes swathes of subtle changes, including improvements, bug fixes, and critical security patches. These are absolutely mandatory, but it’s relatively easy to keep on top of updating the core WordPress software. 50.3% of infected WordPress sites are outdated, but the true security nightmare is in the tens of thousands of plugins.
One reason for WordPress’ sheer popularity is this range of plugins. Free or paid, these range from form inputs to server-side analytics management. Your site may have one or a dozen plugins, but the more plugins wedged into a site, the harder it becomes to actively manage the waves of updates. Even one outdated plugin can offer attackers the necessary chink in the armor.
This is reflected in the vulnerability statistics: 91% of WordPress vulnerabilities originate from plugins and themes.
Injection Techniques
In April of 2022, researchers found over 9,300 WordPress websites riddled with one specific vulnerability, but the precise impacts on users is varied and diverse.
One traditional form of vulnerability is to implant a backdoor into the site itself. A very simple script can be run by accessing a specific URL on a web browser. Once this URL is triggered, the victim’s WordPress site gains a user with an administrator role. This backdoor is now fully exploitable for the attacker, who can then regain access to the WordPress installation any time they want.
Once a site is compromised, there’s a number of ways to transfer this illicit access to the site’s users. The current infection technique sweeping WordPress sites as of April 2022 is a JavaScript injection attack. The goal of this is to redirect an innocent user to a site that infects their device with malvertisement.
Researchers found a relatively simple string of JavaScript that had been planted within the site’s files and throughout a number of third-party plugins. This included injection into legitimate core site files, making removal far harder. Alongside operating throughout a broad range of attack vectors, there were other persistence techniques visible. For example, the JavaScript code was obfuscated with charcode. This function replaces the letters making up the strings of malicious code with corresponding numerical characters.
When a user tries to access an infected WordPress site, they are immediately redirected to a site of the attacker’s choosing. A series of redirects would whisk a user to a number of malware-infected sites. One of the most interesting ones was a site that displayed a blank page with a false captcha. Appearing to validate the user, this was in fact an opt-in button for popup ads. Even when the site isn’t open on a browser, attackers can now push ads that look like they originate from the operating system, further hiding the malicious site.
This sneaky opt-in maneuver is one of the most common ways in which attackers begin ‘tech support’ scams. These pop ups inform the user that the device is infected by malware (technically true), and that they should contact the included details to have it removed.
But this is just one example: once a user has attempted to load an infected site, they are totally at the mercy of the attackers. The redirect chain can lead to a phishing page that skims credit card details; drive-by malware downloads; or even more redirects.
Protecting Against WordPress Exploitation
The danger of WordPress exploitation is in its wide reach of malicious effects. Attempting to prevent each issue individually would be incredibly resource-demanding – and downright maddening. Instead, you need a comprehensive suite of protective measures that stop the issue at its source.
Firstly – if you own a WordPress site – always keep the core site and all plugins up to date. Never procrastinate on updates, as it compromises not just your own devices – but all of your users’, as well. A Web Application Firewall (WAF) is one of the most surefire ways to prevent malicious script injection in your site.
This tool sits at the perimeters of your WordPress deployment, monitoring the external connections made. These connections are compared with the WAF’s white- or blacklist, depending on your preferred architecture. If you’re reliant on a blacklist, you’ll need to keep an eye on what URLs are being used to compromise WordPress admin privileges, as you’ll have to manually update which malicious URLs to block. This is one advantage of setting up your WAF with a simple whitelist: any activity outside of specified URLs is blocked from the get-go.
A solid, reliable and adaptive WAF is the first solid measure against the ever-evolving WordPress attack surface. Keeping cyber criminals from hijacking your site and your customers is a vital part of brand trust. A site that is so core to your eCommerce, brand, and customer relationship can be protected with an adequate cybersecurity suite.
Read Dive is a leading technology blog focusing on different domains like Blockchain, AI, Chatbot, Fintech, Health Tech, Software Development and Testing. For guest blogging, please feel free to contact at readdive@gmail.com.