The security of WordPress plugins

Checkmarx’s research lab identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection.

Furthermore, a concentrated research into e-commerce plugins revealed that 7 out of the 10 most popular e-commerce plugins contain vulnerabilities. This is the first time that such a comprehensive survey was prepared to test the state of security of the leading plugins. In total, 8 million vulnerable WordPress plugins were downloaded.

Hackers can exploit these vulnerable applications to access sensitive information such as personally identifiable information (PII), health records and financial details. Other vulnerabilities allow hackers to deface the sites or redirect them to another attacker-controlled site. In other cases, hackers can take control of the vulnerable sites and make them part of their botnet heeding to the attacker’s instructions.

The issues lie within WordPress’ extensive plugin offerings. These security gaps within the plugins allow hackers to use the platform as vehicles for mass infections and malware distribution. Since Checkmarx did not focus on the security of the basic platform, their discussion can be applied to any marketplace that provides third-party extensions and applications.

Maty Siman, CTO of Checkmarx comments: “The problem of insecure plugins is not just a WordPress problem. Rather, it reflects an issue that all platform providers need to take into consideration – and that is the security of the extensions and applications that are being built and distributed through their platform. Application marketplaces should enforce a security standard for the third-party apps and authorize only those apps that pass the security bar.”

Recommendations for web admins:

Whether a WordPress-based site admin for a large enterprise or a small business, here’s what you can do:

1. Download plugins only from reputable sources. For WordPress, this means WordPress.org Since anyone can develop a WordPress plugin, hackers can also exploit this vulnerability to hide their own nefarious plugin. Although going through a reputable marketplace will not guarantee only harmless plugins6, you should consider this as a first line of defense.

2. Verify the security posture of the plugin by scanning it for security issues. If you have the source code – and most probably you do since the plugins are open-source – run a static source code analysis tool which will provide you with the plugin’s “bill of health”. Advanced scanners can even point you with the optimal and quickest fix recommendations. If you cannot manage the plugin’s source code, you can run any of the WordPress dynamic security scanner plugins. The downside? These test only specific scenarios and so the scanners lose out on coverage.

3. Ensure all your plugins are up to date. Do not ignore all those notification emails of an upgraded plugin version. You can even use a purposeful WordPress plugin that notifies admins on updates to other installed plugins. There are also third party services which provide a plugin update notification and management offering.

4. Remove any unused plugins. The code of old, unused plugins remains on the server – even if the plugins are inactive. Schedule plugin spring cleaning as part of your WordPress site admin activities.