Introduction to Content Management Systems and WordPress
I decided to write about Content Management Systems and WordPress after seeing the damage that irresponsible disclosure can have on website owners globally. WordPress is the most popular Content Management System (CMS) in the world, with over 36% of all websites on the web being powered by this Open-Source software (W3 Techs, 2020). There are over 29 million WordPress websites currently online (BuiltWith® Pty Ltd, 2020). As such it is also heavily targeted by hackers – criminals and activists, wanting to compromise websites for a variety of reasons. This project aims to analyse the reasons behind these attacks, the techniques used to compromise these WordPress websites and the impact it can have on the websites and the businesses or organisations running those sites.
This report aims to provide details on how Content Management Systems and WordPress sites in particular are often compromised and why. We will go on to discuss the importance of responsible disclosure of vulnerabilities and give some insight to Information Security professionals on what they can do to help website owners to keep their sites secure, specifically relating to WordPress websites.
I work in the Site Security Team of Defiant Inc, which is better known as the company behind Wordfence, the popular WordPress security plugin. He is involved in helping clean infected sites. Samples of the malware and intrusion vectors discovered are added to the Defiant Threat Intelligence database (DTI) and used to generate signatures for the Wordfence Web Application Firewall (WAF).
With WordPress seen as the de-facto standard for content driven websites across the globe, it is also the CMS platform most targeted by hackers. Whether to generate revenue through spam marketing campaigns, or to compromise further machines as part of a botnet, or just simply to prove that they can, hackers will continue to look for vulnerabilities in WordPress components. When such vulnerabilities are discovered by security researchers, the importance of responsibly disclosing them is paramount.
The impact of these attacks can be devastating to the owners or users of these websites, as well as wider society. Business reputations can be ruined, causing those organisations to have to cease trading. Users of these websites can lose personal information, allowing them to be further compromised and potentially subject to fraudulent transactions. Some individuals may be reimbursed by their credit card companies for these transactions, although this increases the costs for all consumers. Whilst some attackers may feel that attacks against WordPress websites may be a faceless and victimless crime, in reality, the impact at a personal level can be all too real.
The three primary objectives of this report were as follows:
- To provide an explanation of how WordPress sites are often compromised and why. This will be based on real data gathered from the Defiant Threat Intelligence database.
- To highlight the importance of responsible disclosure of vulnerabilities, highlighting the real damage that is done by not following proper procedures when making such disclosures.
- To give insight to Information Security professionals on what they can do to help keep websites secure.
This, I believe, resulted in a document that is not purely theoretical, but also of practical benefit to end-users and technology professionals.
As mentioned, I am involved in cleaning infected websites. Samples of the malware and intrusion vectors discovered are added to the Defiant Threat Intelligence database (DTI) and used to generate signatures for the Wordfence Web Application Firewall (WAF).
All of this data provides an invaluable insight into the latest threats affecting Content Management Systems and WordPress websites in particular. The company regularly publishes research on their blog. The company has kindly agreed to provide access to this data to help in the development of this report. Obviously, all data used in this report is fully anonymised.
In order to provide data to back up the hypothesis that responsible disclosure of vulnerabilities is of great importance, we will be analysing the number of attacks blocked by the Wordfence Web Application Firewall in the aftermath of three specific disclosures. This will be done by interrogating the Defiant database containing details of attacks blocked for those periods. We will also be analysing the reports created by Wordfence Security Analysts in the period after these disclosures to determine the number of site cleaning orders placed by customers where the Intrusion vector was determined to be through the exploit of these vulnerabilities.
This report will first give a background on Content Management Systems and WordPress, why and how they are used and how they have developed over the years.
The report will then go into more detail on WordPress, discussing the typical architecture of a WordPress website.
It will then go on to discuss the risks and benefits of using a popular Content Management System like WordPress, discussing why it has been successful and heavily used by web developers and website owners across the world, but also the risks of using such systems.
We will then analyse the reasons and motivation behind the attacks seen on WordPress sites, before moving on to look at typical vulnerabilities exploited by hackers.
We will then look at specific examples of vulnerabilities affecting WordPress websites, how they were exploited and the impact on whether the vulnerability was disclosed responsibly or not.
Finally, we will look at best practice for hardening a WordPress website against such attacks.