Over the last few weeks, there have been multiple instances of security vulnerabilities discovered in WordPress and its plugins, which have affected over a million sites worldwide. These include an exploitable vulnerability in the popular Elementor Pro plugin, an ongoing malware injection campaign known as Balada Injector that's been active since 2017, and a vulnerability found in the All-In-One Security (AIOS) plugin.
As a WordPress site owner or agency that manages multiple sites, it's essential to understand the potential risks associated with such vulnerabilities and take proactive steps to minimize them, for you and your clients. In this blog post, we'll discuss the hidden security risks of using WordPress and suggest some effective measures that you can take to manage these risks effectively.
WordPress is by far the most popular CMS platform on the internet, with over 810 million websites using it - that's a staggering 43% of all websites. But with great popularity comes great risk, and the dominance of WordPress in the market makes it a prime target for hackers and cybercriminals. In fact, WordPress is the most hacked CMS platform on the internet, with hackers actively searching for vulnerabilities in WordPress sites every day.
Digital agencies, which serve dozens or more business customers, need to be especially mindful of the security risks associated with WordPress. While the platform offers many benefits, including its open-source software tools and user-friendly interface, it also presents significant challenges, such as hosting costs, maintenance, and security.
To mitigate the security risks of using WordPress, digital agencies should take a proactive approach to securing their clients' sites. This could involve implementing security plugins, keeping plugins and themes updated, using strong passwords, and regularly backing up site data. By taking these steps, agencies can help to ensure that their clients' WordPress sites are as secure as possible, and avoid the potentially devastating consequences of a hack or data breach.
To get a sense of the security risks facing WordPress users, let's take a closer look at three recent incidents that highlight some of the vulnerabilities in the platform.
1. The first incident involves a bug in the Elementor Pro WordPress plugin, which was discovered during March, and reported by Bleeping Computer on March 31, 2023. Security researchers found that the bug could be used by hackers to take over a site completely, particularly when the plugin was installed alongside WooCommerce. Fortunately, the developers of Elementor Pro quickly released a patch for the bug, and users were advised to upgrade to version 3.11.7 or later. The latest version available at the time of writing is 3.12.2.
2. Another recent incident involving WordPress security concerns the Balada Injector malware campaign, which was reported by various sources, including this post in The Hacker News from April 10, 2023. This campaign has been active since 2017 and has infected over 1 million WordPress sites, allowing hackers to gain admin access to servers that host these sites. Once a single site is compromised, hackers can potentially gain access to all other sites hosted on the same server. Researchers consider it an Advanced Persistent Threat (APT) to digital assets, which is one of the worst nightmares of any security manager.
3. The third security issue I want to discuss was reported on April 11, 2023 in the Search Engine Journal, and was related to the All-In-One Security (AIOS) plugin for WordPress. This vulnerability is believed to impact more than 1 million websites. Similar to Balada Injector malware, the exploit allows hackers to gain access to sensitive files and folders on the hosting server, putting website owners' data and privacy at risk. This vulnerability is a significant concern for businesses that host their websites on WordPress. For digital agencies, which may host multiple websites on the same server, this issue poses a broader risk to their entire portfolio.
It's crucial to acknowledge that security vulnerabilities most likely do exist in any software system. That's why companies invest in a vast range of security controls, including tools and processes, and hire security experts to mitigate the security risks. As a user of any software tools, it's essential to keep them up to date. Effective patch management is perhaps the most crucial control that you should implement. This applies to operating systems and it holds true for WordPress servers. However, the core model of WordPress poses significant challenges for anyone who builds and maintains WordPress sites, particularly for their security personnel.
WordPress's flexibility is both a strength and a weakness when it comes to security. The ability to add custom themes and plugins provides an enormous amount of flexibility for developers and users. However, this also means that developers of themes or plugins have the ability to alter the server-side code directly, which can increase the risk of introducing security vulnerabilities. One change to a file can compromise the database, the server, and potentially impact other websites on the same server. Additionally, accessing the root folder of a machine running multiple WordPress sites poses a serious security risk.
Patch management in WordPress by itself is a challenge. While the platform can be configured to automatically update itself and plugins, this feature can also be disabled, leaving sites vulnerable to known security threats. Additionally, updating WordPress and its components can sometimes lead to compatibility issues with plugins, themes, and other customizations, which can further complicate the patching process.
If you manage multiple WordPress sites, each of them needs to be updated individually. For large agencies maintaining dozens or hundreds of websites, this could quickly become a significant operational burden.
Lastly, unlike managed services, where a team of experts handles security operations, on-premises WordPress deployments require constant attention to potential threats and vulnerabilities. The agency maintaining the sites must regularly monitor them, assess risks, and apply security updates. If a security breach occurs, the consequences are entirely on the agency to manage.
Managing security risks in a cloud environment, particularly with a software-as-a-service (SaaS) model, can be more cost-effective and efficient. By subscribing to a cloud-based CMS, you are essentially transferring the risk management responsibility to the provider. This is where Duda comes into play. Unlike many other providers, Duda was specifically designed from the ground up to cater to the needs of digital agencies - Its platform was built for scale and efficiency, making it a great candidate for agencies in all sizes. Below we will discuss the security advantages of using Duda over WordPress.
What about Duda’s App Store and app providers? How do we assure security there? Duda's approach to app integration is fundamentally different from WordPress's plugins. Apps do not directly install source code onto Duda's servers. Instead, they have access to structured, scoped, and secured APIs that limit the potential for malicious activity.
While apps can install JS code onto websites, this is a known zone where no sensitive information should be stored. In the event of any malicious activity, Duda can quickly remove the code across all sites. Additionally, we treat app providers like any other third-party software provider and use a similar process to assess their privacy and security maturity.
At the end of the day, cybersecurity is all about managing cyber risks to your digital assets and reducing them to an acceptable level. As a digital agency owner or employee, the websites you host and maintain for your clients are likely among your most sensitive assets.
While WordPress is an excellent environment for building websites and offers a vast array of ready-made components, such as themes and plugins, its security risks may not be worth it for your business. If that's the case, you should consider transitioning to a cloud-based CMS like Duda, which offers superior security measures, including isolated cloud environments, routine updates, and 3rd-party component testing, to protect your assets from potential cyber threats.
