A while ago in another post I asked Is it time to give up on WordPress sites? and I got some interesting comments; here’s two that nail the issue and the growing sentiment:
Marco Naseef: “extremely modular = extremely vulnerable”
David Franks: “… I run a hundred or so Wordpress sites and I'm on the verge of throwing in the towel. / All the big hosts like Bluehost and Hostgator have their shared host platforms controlled by hackers and riddled with malware like dark leach. It's very dispiriting. / I think the days of Wordpress are numbered”
What’s happening is that the WordPress universe has become a huge target for hackers and the enormous range of plugins include too many with poorly engineered code. Moreover, even well-engineered plugins can have security flaws exposed when they interact with other plugins.
In reality, the problem is actually much bigger because it’s not just WordPress that’s a concern; the same criticisms can be applied to Drupal, Joomla, and many other systems that have evolved into general purpose publishing platforms for blogging, marketing, and sales and have acquired ad hoc functionality.
Here’s a great and current example: By now I suspect the entire planet knows of the massive “Panama Papers” data breach totaling 2.6 terabytes and including 11.5 million documents but few people know how the breach happened. So, what was the cause? It’s thought the breach was due to a WordPress plugin.
The source of the Panama Papers was the website of the Panamanian law firm, Mossack Fonseca, that was using an old version of a Wordpress plugin called Slider Revolution (also known as “Revolution Slider”). The vulnerabilities of the version MF was using, version 2.1.7 (the current version is 5.2!), was well-known to have serious vulnerabilities but MF for whatever reason (probably complacency) had never updated it.
These vulnerabilities allowed hackers (identity, so far, unknown) to access the WordPress installation at an administrative level and from there get enough information to access MF’s mail server and Drupal-based client portal. Voila! Hilarity ensued.
The law firm at the centre of the Panama Papers hack has shown an "astonishing" disregard for security, according to one expert. Amongst other lapses, Mossack Fonseca has failed to update its Outlook Web Access login since 2009 and not updated its client login portal since 2013.
Mossack Fonseca's client portal is also vulnerable to the DROWN attack, a security exploit that targets servers supporting the obsolete and insecure SSL v2 protocol. The portal, which runs on the Drupal open source CMS, was last updated in August 2013, according to the site's changelog.
On its main website Mossack Fonseca claims its Client Information Portal provides a "secure online account" allowing customers to access "corporate information anywhere and everywhere". The version of Drupal used by the portal has at least 25 vulnerabilities, including a high-risk SQL injection vulnerability that allows anyone to remotely execute arbitrary commands. Areas of the portal's backend can also be accessed by guessing the URL structure, a security researcher noted.
More commentary on MF’s staggering lack of security awareness has been covered by Wordfence, creators of the eponymous (and excellent) plugin that monitors other WordPress plugins for vulnerabilities and blocks hacking attempts.
What all of this goes to show is that as good as WordPress et al have been, and in many ways still are, they've become architecturally a little long in the tooth and maybe it's time to look seriously at alternatives.