WordPress powers more than 60 million websites, but source code analysis company Checkmarx says the WordPress ecosystem of plugins is swarming with significant vulnerabilities.
According to WordPress.org, the open source platform WordPress powers more than 60 million websites and 18% of the Web. It's also the most popular blogging content management system (CMS) on the planet. It takes a lot of users of a platform to make these kinds of lofty claims.
The core WordPress software is built by hundreds of community volunteers. What's more, WordPress attracts thousands of developers who have created more than 25,000 themes and plugins to support this platform. All of this complementary software allows users to customize their websites. Unfortunately, it also puts a good portion of those 60 million websites in a position of vulnerability due to poorly secured plugin code.
In a report just released by Checkmarx, "The Security State of WordPress' Top 50 Plugins," the company outlines research that shows that 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks such as SQL injections. What's more, 7 out of the 10 most popular e-commerce plugins contain significant vulnerabilities. Think about that the next time you use an online shopping cart.
[ BACKGROUND: Tactics of WordPress attackers similar to bank assaults ]
Checkmarx develops solutions for automated security code review. The company primarily works with developers of enterprise software in all phases of the development lifecycle to identify technical and logical code vulnerabilities. Checkmarx is known for helping to protect applications in large platform ecosystems like Salesforce.com.
The company wanted to give back to the development community and it decided to start with the WordPress ecosystem because of its extensive reach. Also, Checkmarx was concerned that there are so many security advisories warning about vulnerabilities in various WordPress plugins. So, earlier this year, Checkmarx began to scrutinize some of the most popular code used in millions of websites around the world. What it found is alarming.
Starting in January, Checkmarx performed scans of the top 50 most downloaded plugins for the WordPress platform. The initial scans were overwhelming, so the company focused on scanning just for highly critical vulnerabilities. Of those 50 pieces of code, 18 of the plugins -- which collectively had more than 18.5 million downloads -- had significant vulnerabilities. Checkmarx contacted the plugin developers to let them know of the vulnerabilities and worked with some of the developers toward their fixes.
Again in June, Checkmarx scanned the top 50 most popular WordPress plugins. This time around, 20% of the applets were found to be vulnerable to SQL injection, cross-site scripting, cross-site request forgery and path traversal. Unfortunately, only six plugins Checkmarx had previously scanned were completely fixed in that span of six months, although every plugin had been updated in that time. To make matters worse, there have been nearly 8 million downloads of the insecure plugins.
Next the company turned its attention to the top e-commerce plugins. Since these applets handle payments, Checkmarx expected that they would be far more secure than the general use plugins. The results of the scans, however, showed just the opposite: 7 out of the top 10 e-commerce apps were highly flawed and could be hacked at any time. These vulnerable plugins have been downloaded more than 1.7 million times.
Checkmarx says there are three major affected parties when it comes to WordPress plugin vulnerabilities: website administrators, plugin developers and WordPress itself. (Of course, users of the websites with the vulnerable code can be affected, but there's really nothing they can do about it. Only the three parties listed above can take meaningful action to fix the vulnerabilities problem.)
Checkmarx has recommended actions for each of these groups to reduce the risk of vulnerabilities.
What website administrators can do:
- Download plugins only from reputable sources. For WordPress, this means WordPress.org. Even at that, don't assume that a plugin is secure.
- Verify the security posture of the plugin by scanning it for security issues. (Checkmarx has tools to help you do this.)
- Ensure all your plugins are up to date.
- Remove any unused plugins.
For all you plugin developers out there, here are some recommendations for you:
- Integrate security within your development processes.
- Run your plugin through a code scanner to ensure that it stands up to a security standard.
WordPress and other application platform providers can do the following:
- Enforce a security policy on apps that enter the marketplace.
- Authorize only apps that pass the security bar.
Checkmarx provides more detail behind all of these recommendations in its report. If your company uses WordPress and any of its plugins for blogging, content management or simply developing a website, you need to see where your vulnerabilities are.
Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at LMusthaler@essential-iws.com.
About Essential Solutions Corp:
Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.