Article Summary
WordPress releases regular updates to ensure the platform stays secure. However, there are still cases where security leaks cause harm to many of its users. Most attacks come from WordPress plugins. The best way to protect yourself is to stay informed. Here, I’ll be covering some exploitable WordPress plugins that you should be aware of, and offer some advice on how to protect your site.
WordPress releases regular updates to ensure the platform stays secure. However, there are still cases where security leaks cause harm to many of its users. Most attacks come from WordPress plugins.
The best way to protect yourself is to stay informed. Here, I’ll be covering some exploitable WordPress plugins that you should be aware of, and offer some advice on how to protect your site.
What is an Exploitable Plugin?
Exploits are security holes present in programs and codes. According to research, WordPress is most vulnerable through unsafe plugins. In this sense, an exploitable plugin is one that comes with a security flaw that hackers can use to harm your WordPress site.
Further, the CVE details reveal that XSS attacks are the most common hacking type on WordPress.
Depending on the goal, attackers may breach your system by manipulating bugs or loopholes in the plugin’s code. If they gain access, the first warning signs include strange website behavior like redirecting visitors to malicious websites, or phishing emails to customers from your site — the possibilities are endless.
That’s why it’s important to spend time and learn more about both WordPress site security, and trusted plugins, which will put you at a lower risk.
Types of WordPress Plugin’s Security Issues
Before moving on, let’s learn about the most common types of WordPress plugin vulnerabilities.
Cross-site Scripting
This security issue happens on the client-side. The attackers plant malicious script on websites and execute them in the visitors’ browser.
Cross-site scripting is also effective for defacement — changing a website’s appearance to show what the attackers want. This is a common tactic of the hacker group Anonymous.
SQL Injection
While cross-site scripting targets the client-side, SQL injections aim at the site’s server. As the name suggests, this attack can affect websites that use SQL databases.
A server stores all valuable information about a website and its users within databases. If an attacker manages to gain access to the databases, the information will be at risk and can be manipulated, stolen, or leaked.
File Inclusion Exploits
If your website allows users to upload files like photos or documents, you should be aware of this kind of threat. Hackers can use this to add harmful files to your site to manipulate your server by applying a specific configuration.
There are two types of file inclusion exploits: Local File Inclusion (LFI) and Remote File Inclusion (RFI). The first needs a local file to be put on the server to execute the script, while the latter relies on a remotely-hosted file to do the work.
Top 4 Exploited Plugins in WordPress
Now, let’s take a look at the four exploited plugins that had endangered thousands of WordPress users. This list showcases the plugins that contained high-risk exploits.
1. Visual CSS Style Editor
Also known as the Yellow Pencil Visual Theme Customizer, this plugin is used to customize color, font, and the overall theme of a website without using code.
There was a vulnerability found in the 7.1.9 version of this plugin that endangered as many as 30,000 websites. In the yellow-pencil.php file, there is the yp_remote_get_first() function that checks a certain parameter which triggers privilege escalation.
Unfortunately, this can let users without proper access to perform top-level actions like changing fundamental options. What is the worst-case scenario? A hacker redirecting the homepage or getting full admin access to your site.
2. WooCommerce Checkout Manager
The WooCommerce Checkout Manager plugin customizes a WooCommerce powered online store’s checkout page. It has more than 50,000 active installations as of writing. This just goes to show that mainstream plugins can also be at risk.
The plugin had a security flaw that allowed users to delete any media files even unrelated to their checkout process. The deletion of any media in $_POST[‘wccm_default_keys_load’] also removed the metadata from the site’s WordPress library.
3. Ad Inserter
Ad Inserter is used to manage ads and has more than 200,000 active installations. It supports platforms like Google Adsense and Amazon Native Shopping Ads.
Its 2.4.21 version allowed authenticated users with any role – including subscriber – to execute arbitrary PHP code. Not only that, there was another security hole that allowed regular users to utilize the debug mode that should be available to access for administrators only.
4. Social Warfare
With more than 60,000 users, social warfare is one of the most used lightweight WordPress social sharing plugins.
In March 2019, there was a bug found in version 3.5.2. It came from its clone feature – used to duplicate settings from a site – which was not restricted to the administrator role. The flaw would let hackers overwrite plugin settings on the victim’s site.
It was found that attackers had modified the twitter_id value that directed to a cross-site scripting injection point.
How to Stay Secure?
With so many ways for bad actors to breach your site, how do you stay protected? The following security practices make for a subset of this extensive WordPress security guide.
Keep Your WordPress Updated
Using the latest version of WordPress is highly recommended. Not only can you enjoy the newest features but it also guarantees that the latest known security issues are patched.
WordPress will give you notifications on the dashboard about each important update. It takes only one click and makes a big impact on site security. Additionally, you can also install an update manager plugin like Easy Update Manager to automate the process.
Check Your Plugins Status Regularly
If you’re unsure about the security of the installed plugins, you can check them manually. This allows you to know if one of your plugins is vulnerable to security breaches.
Backup Your Site
In case the worst-case scenario occurs, it’s best to have a clean site backup you can restore your site to, decreasing any downtime. Take help from this guide to take a backup effortlessly.
Install a Firewall
An end-point firewall is the best way to protect your site from these attacks. Continuous monitoring and blocking of any malicious traffic can secure your site like no other.
One such firewall is Astra’s hacker-tested firewall. It is known to block 100+ attacks including common attacks like the SQL injection, XSS, CSRF, Bad bots, etc. You can even use this firewall to block or whitelist IP/range/country that are threats for you.
Conclusion
Despite being robust and secure, WordPress isn’t immune to all security flaws. The most common threats on WordPress come from its plugins. The most exploited of which we explored in this article. While developers always work tirelessly to fix any flaws within their products, it’s up to you to guarantee your site’s security. You can do this by using the updated WordPress version, the latest plugin versions, installing a firewall, etc.
Any other such plugin came to your mind? Let us know in the comment box.
Simon Dwight Keller
Great post.
Thank you.
Thanks, Getastra for sharing information on plugins in WordPress.
Great job.
Thank you so much.