Did you know that according to a recent blog post from KeyCDN (Here), 52% of all WordPress vulnerabilities are attributed to plugins? Yet WordPress plugins are sometimes the most neglected part of a WordPress website.
Yesterday, a client on our shared web hosting platform, and not using our WordPress Management package, contacted us to tell us that their SEO (Search Engine Optimisation) contracted provider had reached out to them to tell them their listing was being rejected due to malware on their website. The client was confused by this as they had been keeping the core WordPress files up to date with the latest patches, as and when they came out. They were under the belief that this was all they needed to do to maintain a secure WordPress site.
What do we do in these situations?
Typically, our first goto is to replace the WordPress Core files with clean files for the version of WordPress being used. One of the most common attacks is to inject code into core files that force the WordPress site to load external or new malicious files. By replacing the core files with clean originals, we remove any foreign code and undo these files from autoloading on a visitor coming to the site.
The next step, we scan the account for malware and provide a list of any files found to the client. It is up to the client to remove these files as sometimes false positives are flagged and the site’s developer is more likely to know if something is genuine.
Sometimes, this is still not enough to completely clean a WordPress site. No malware scanner will one-hundred per cent find every piece of malware on an account after all, and when this is the case, we then offer a restore for the site from one of the retention point backups (Daily, Weekly, or Monthly), that we keep for all clients.
In some extreme cases, if the client did not notice their site was compromised and left it alone for quite some time, all backups we keep can be infected as well. In this case, manual cleaning of the site will need to be done, and we advise the client of our WordPress Management addon where we would take care of everything for them.
If the site can be cleaned, why do we not just completely clean the site every time?
A hacked WordPress site is a long task to completely clear up. It’s a lengthy procedure and is not something we (or any other web host we know) would perform for free. We offer as much general advice as possible, such as installing plugins like Sucuri, Wordfence, iThemes, to name a few.
We have a WordPress vulnerability scanner available for use on any WordPress website hosted on our network and we will always help clients identify problems with their sites by running this scan for them, free of charge.
What, in this case, did the WordPress Vulnerability Scan Show?
This deep scan was performed on this website in question, and a summary of a small portion of the results are below.
Result One: Contact Form 7 Plugin, Out of Date and Vulnerable to Privilege Escalation.
[i] Plugin(s) Identified: [+] contact-form-7 | Location: http:///wp-content/plugins/contact-form-7/ | Last Updated: 2018-12-18T18:05:00.000Z | [!] The version is out of date, the latest version is 5.1.1 | Detected By: Urls In Homepage (Passive Detection) | [!] 1 vulnerability identified: | [!] Title: Contact Form 7 <= 5.0.3 - register_post_type() Privilege Escalation | Fixed in: 5.0.4 | References: | - https://wpvulndb.com/vulnerabilities/9127 | - https://contactform7.com/2018/09/04/contact-form-7-504/ | - https://plugins.trac.wordpress.org/changeset/1935726/contact-form-7 | - https://plugins.trac.wordpress.org/changeset/1934594/contact-form-7 | - https://plugins.trac.wordpress.org/changeset/1934343/contact-form-7 | - https://plugins.trac.wordpress.org/changeset/1934327/contact-form-7 | - https://www.ripstech.com/php-security-calendar-2018/#day-18 | Version being used: 5.0.2 (100% confidence) | Detected By: Query Parameter (Passive Detection) | - http:///wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.0.2 | - http://>Domain Deleted>/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=5.0.2 | Confirmed By: | Readme - Stable Tag (Aggressive Detection) | - http:///wp-content/plugins/contact-form-7/readme.txt | Readme - ChangeLog Section (Aggressive Detection) | - http:///wp-content/plugins/contact-form-7/readme.txt
Result Two: Jetpack Plugin, Out of Date and Vulnerable to Cross-Site Scripting
[+] jetpack | Location: http://<Domain Deleted>/wp-content/plugins/jetpack/ | Last Updated: 2019-01-10T14:48:00.000Z | [!] The version is out of date, the latest version is 6.9 | Detected By: Urls In Homepage (Passive Detection) | [!] 1 vulnerability identified: | [!] Title: Jetpack <= 6.4.2 - Authenticated Stored Cross-Site Scripting (XSS) | Fixed in: 6.5 | References: | - https://wpvulndb.com/vulnerabilities/9168 | - https://www.ripstech.com/php-security-calendar-2018/#day-11 | Version Installed: 6.1.1 (100% confidence) | Detected By: Query Parameter (Passive Detection) | - http://<Domain Deleted>/wp-content/plugins/jetpack/css/jetpack.css?ver=6.1.1 | Confirmed By: | Readme - Stable Tag (Aggressive Detection) | - http://<Domain Deleted>/wp-content/plugins/jetpack/readme.txt | Readme - ChangeLog Section (Aggressive Detection) | - http://<Domain Deleted>/wp-content/plugins/jetpack/readme.txt
Result Three: WordPress SEO Plugin, Out of Date and Vulnerable to Authenticated Race Condition
[+] wordpress-seo | Location: http://<Domain Deleted>/wp-content/plugins/wordpress-seo/ | Last Updated: 2019-01-22T08:40:00.000Z | [!] The version is out of date, the latest version is 9.5 | Detected By: Comment (Passive Detection) | [!] 1 vulnerability identified: | [!] Title: Yoast SEO <= 9.1 - Authenticated Race Condition | Fixed in: 9.2 | References: | - https://wpvulndb.com/vulnerabilities/9150 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19370 | - https://plugins.trac.wordpress.org/changeset/1977260/wordpress-seo | - https://www.youtube.com/watch?v=nL141dcDGCY | - http://packetstormsecurity.com/files/150497/ | - https://github.com/Yoast/wordpress-seo/pull/11502/commits/3bfa70a143f5ea3ee1934f3a1703bb5caf139ffa | Version Installed: 7.4 (100% confidence) | Detected By: Comment (Passive Detection) | - http://<Domain Deleted>/, Match: 'optimized with the Yoast SEO plugin v7.4 -' | Confirmed By: | Readme - Stable Tag (Aggressive Detection) | - http://<Domain Deleted>/wp-content/plugins/wordpress-seo/readme.txt | Readme - ChangeLog Section (Aggressive Detection) | - http://<Domain Deleted>/wp-content/plugins/wordpress-seo/readme.txt
Okay, so how can I protect my WordPress site?
Pay attention to your WordPress installation and admin dashboard. Delete any plugins you are not using and that are not needed. Don’t leave them deactivated, remove them. Do the same with your themes. Remove completely, any theme, plugin or file not in use. Ensure all plugins and themes you are using are updated regularly and are from reputable sources.
InfiniteWP is an excellent piece of software that will assist you in quickly determining what plugins are out of date. In the client’s site, we talk about here, there were nine WordPress Plugins out of date, and three of these plugins had vulnerabilities that were likely the reason why the website got compromised.
Buy our WordPress Management Add On
For £65 + VAT per year, we will manage your WordPress website. We will do all the hard work for you and a weekly check to ensure your WordPress core, plugins and theme (when possible) are up to date and upgrade anything that is out of date for you, taking a backup prior to making any changes to give you peace of mind. We’ll also provide comprehensive assistance to remove any and all malware, should your website be infected (most unlikely when it’s being regularly managed).
Move to Private Hosting.
Shared hosting is a good and cheap form of hosting, but, as it’s on a shared environment, it has an extensive list of problems associated with it. One of these problems relates to how hackers attack as most accounts on a shared hosting platform use the same IP address. This means that a hacker can use widely available tools to gather a list of websites hosted on the same IP address. The attackers can then use automated tools to look for known vulnerabilities on these sites and in plugins and use what they find to inject malicious code into a website.
Private, also referred to as dedicated, hosting means an optimised server, reserved just for hosting your website/s. On a private server, you have a private IP address, so unless the hacker is attacking you specifically, they will not merely attack you because you happen to share the original targets IP address.
A single account VPS (virtual private server) is equivalent to £20.83 + VAT monthly when paid annually. More information on this product can be found at the link below:
