02 Mar

This Isn’t Great Information on What Are Supposed to be the Most Attacked WordPress Plugins

When it comes to better understanding security surrounding WordPress there is dearth of useful data. For example, despite millions of websites using various security plugins and numerous claims of the effectiveness of them, the few test we have done of them to see if they could protect against the exploitation of real vulnerabilities in other plugins are almost the only testing that has every been done. Considering that that the results showed that they provide almost no protection, it isn’t like a lack of testing is due to a lack of need for that information. Most of the data that you might run across is of little value and often is distorted even further when repeated by others.

Recently while we were looking for information on something else we ran across a recent post on the website, jeffbullas.com, titled “The Top 50 Most Attacked WordPress Plugins Making Your Site Vulnerable to Hackers” (http://www.jeffbullas.com/attacked-wordpress-plugins/). A few paragraphs in, things already looked really bad, as there is this claim:

One study revealed that almost 98% of WordPress blogs were easily exploited because they were running outdated versions of the software, or outdated plugins.

There is no link to this supposed original study or any other information in the post about it (despite plenty of other links in it), so who knows if it really exists. But it if did, it must have come from someone that has no idea what they are talking about, since the number is absurd.

Moving on, here is the explanation of the information provided:

This post will highlight the 50 most attacked WordPress Plugins in 2017. The report will showcase:

  • The number of total attacks. This will determine the total number of attacks that were reported by the particular plugin.
  • The type of the attack. This will reflect the “Location File Inclusion” (LFI) attack that allows exploiters to download any file they want, or the “Unrestricted File Upload” that allows exploiters to upload a “shell” that gives them full remote access to target the site.
  • The exploit database link. This will determine the language used by the penetration testers and vulnerability researchers.
  • The WordPress plugin website.This will provide you details and information about the plugin and a link to download.

There is no explanation as to where the total number of attacks is supposed to have come from, which seems like it would be rather important to note. It looks like for portions of the list the plugins are ranked by the number of attacks, but occasionally the number of attacks changes dramatically from one plugin to the next, which makes us more suspicious as to whether the numbers are even real.

In an indication of the lack of understanding of the topic by the author, they confuse a local file inclusion (LFI) vulnerability with an arbitrary file viewing (or arbitrary file download) vulnerability despite linking to a page that accurately describes what a LFI vulnerability is.

We can’t even decipher what “This will determine the language used by the penetration testers and vulnerability researchers.” is supposed to mean (we also haven’t seen evidence that penetration tester discover a measurable amount of vulnerabilities in WordPress plugins).

Right after that is this statement:

If you use any of these attacked WordPress plugins on your website, you may want to look into ways to improve your security.

That’s not all that helpful.

At the bottom of the post they give better advice, though the post doesn’t indicate if the vulnerabilities have been fixed and therefore is upgrading will do any good:

If you use any of the above plugins, ensure you upgrade to the latest version, and adopt Wordfence with Firewall enabled to protect your WordPress sites from unexpected brute force attacks in the future.

Also notable here, is that brute force attacks are hot happening, so installing a plugin to protect against them would not be good advice since it would also add additional security risk (that isn’t a hypothetical risk).

To see the questionable value of this type data (if it was even accurate) just look at the first entry:

#1. Recent Backups (Backup for your website)

Total attacks: 2,159,725

Type: LFI

Exploit database:https://www.exploit-db.com/exploits/37752/

Website link: https://wordpress.org/plugins/recent-backups/

First this vulnerability was disclosed on August 10, 2015, so there is a good chance that if it would have lead to a website being hacked it likely would have occurred before 2017. What is important to note is that the type of vulnerability, arbitrary file viewing, is one of the most targeted types of vulnerabilities, but it doesn’t appear to usually lead to websites being hacked. What the vulnerability is normally exploited to do on a WordPress website is to view the contents of the WordPress configuration file, wp-config.php. The main piece of information that can be gathered from doing that are the database credentials for the website. As best we can tell hackers don’t try much to utilize that, the only time we can recall that leading a lot of WordPress websites being exploited due to that type of vulnerability was when GoDaddy had screwed up and starting making databases remotely accessible that were configured to not allow that.

The other thing that seems rather important about this, is that plugin is only used on 100+ websites according to wordpress.org, so the impact its exploitation could theoretically have is rather limited.

If the attack number is accurate, the main take away here is that hackers will try to exploit vulnerabilities that are used on very few websites and where the chance of successfully exploiting them is limited. That doesn’t require a list of 50 plugins and the post doesn’t provide any insight like that or useful information like if the vulnerabilities were fixed.

A far simpler way to check if you are using versions of plugins that hackers appear to exploiting would be to install the companion plugin to our service, as that will automatically check all the plugins installed against the free data on just that type of vulnerability that comes with that plugin.