The Wordpress Plugins Playground
This morning, I had a quick look at my web server log file and searched for malicious activity. Attacks like brute-force generate a lot of entries and thus can be easily detected. Other scanners are working below the radar and search for very specific vulnerabilities. In this case, a single request is often sent to the server and generate a simple 404 error without triggering any alert. My blog being based on the Wordpress CMS, I searched for non HTTP/200 hits for plugins URLs ("/wp-content/plugins/")
CMS or “Content Management Systems” became vey popular today. It's easy to deploy a WordPress, Drupal or Joomla on top of a UNIX server. They exist also shared platforms which offer you some online space. If a CMS is delivered with standard options, it is easy for the owner to customize or to tune it.. just like cars. Modern CMS offer a way to extend the features or the look’n’feel via plugins (or add-ons or extensions).
From a security perspective, plugins are today the weakest point of a CMS. If most of the CMS source code is regularly audited and well maintained. It’s not the same for their plugins. By deploying and using a plugin, you install third-party code into your website and grant some rights to it. Not all plugins are developed by skilled developers or with security in mind. Today, most vulnerabilities reported in CMS environment are due to … plugins!
Based on my logs, here are some stats for the last 3 months:
- 8000+ hits for uninstalled/non-existent plugins
- 899 unique plugins tested (list)
Just for information, here is my Top-20 of tested Wordpress plugins:
Plugin Name | Count |
revslider (1) | 2084 |
wp-symposium | 735 |
showbiz | 701 |
easy-fancybox | 542 |
newsletter | 390 |
videowhisper-video-conference-integration | 367 |
reflex-gallery | 357 |
videowhisper-video-presentation | 328 |
wysija-newsletters | 295 |
player | 288 |
uploadify | 273 |
social | 267 |
google-mp3-audio-player | 203 |
uploader | 197 |
wp-email | 165 |
dzs-zoomsounds | 143 |
easy-social-media | 137 |
backup | 132 |
simple-ads-manager | 130 |
wp-filemanager | 121 |
(1) Very popular exploit in the wild for a while
If you run your own CMS, here are some security tips regarding the use of plugins:
- Only install plugins that your really need.
- Some plugins can be configured. Always review the default settings and adapt them to your environment and security requirements
- When you tested a plugin and if you decide to not use it, disable and un-install it completely.
- If the popularity is a plugin is a good indicator, do not trust them! (Popularity != Security)
- Like any piece of software, update them
- Take a deep breath and jump into the code to have a quick code review (any backdoor installed?)
- WordPress has an hardening guide with good recommendations.
As a general advice regarding 4xx HTTP errors, do not implement checks for single errors but search for multiple 4xx (or 5xx) errors generated in a short amount of time from a single IP address. This is helpful to detect ongoing scans! (a log management solution can do that very easily)
Xavier Mertens
ISC Handler - Freelance Security Consultant
rootshell.be
truesec.be
Comments