A History of WordPress Security Exploits and What They Mean

A History of WordPress Security Exploits and What They Mean

As one of the world’s most high-profile open source software projects, WordPress has been a natural target for ongoing security exploits ever since it arrived on the scene.

With the user base continuing to grow and its position as the world’s most popular CMS solidifying, it’s a safe bet this won’t be changing anytime soon.

The emergence of significant security vulnerabilities this year have yet again reminded us of the need for ongoing vigilance and the importance of keeping sites updated.

In this article we’ll cover a selection of the major WordPress security exploits to date and what they meant for both users like you and the future of the WordPress.

Before we delve into the past though, let’s fill in some blanks on the subject of WordPress security in general.

Some Background on WordPress Security

The WordPress Security White Paper.
The WordPress Security White Paper.

Security has been on the WordPress community’s radar from the very beginning for good reason and is a critical part of the project as a whole.

A measure of how high up the priority queue security is can be seen by going to the about page of WordPress.org where the security section is very prominently displayed.

The WordPress Security Whitepaper

If you haven’t previously read the WordPress security white paper, it’s worth taking a few minutes to go through it.

It provides a succinct overview of the project’s approach to security and covers a number of useful points including the following:

  • Version numbering and security releases: Minor releases are reserved for addressing security vulnerabilities as evidenced in the recent 4.1.2 security release.
  • Internal WordPress security organization: The WordPress Security Team contains around 25 people, with Automattic contributing half the resources. They have a strong track record of working with other industry leaders on common vulnerabilities and are committed to a policy of openness.
  • The most common threat types: The paper also lists a useful overview of the most common security threats as defined by Open Web Application Security Project. This includes common attack vectors such as SQL injection and cross-site scripting.
  • The role of plugins and themes: With approximately 30,000+ plugins and 2,000+ themes available on WordPress.org alone, it’s obvious that they represent by far the most commonly vulnerable entry route.
  • The importance of hosting: The best security precautions in the world on the local WordPress level will mean little if you find your host environment compromised.

The WordPress Security Archive

The quickest way of getting an overview of how much activity there has been on the WordPress security front over the years is a quick visit to the WordPress Security Archive:

Security Category Archive

There you’ll find details of all security releases to date conveniently assembled in one place.

As can be seen from the entry log, security issues have a tendency to come in flurries and we’ll be going into the details of some of these shortly.

Staying up to Date

As Matt Mullenweg never fails to point out, the single biggest security improvement you can make to your site is making sure it is constantly up to date.

Ongoing attacks are unfortunately a fact of online life, but the community has an excellent track record of addressing them quickly and transparently.

Let’s move on to some of the notable time periods where the threat level was particularly high and they were forced to do just that.

2007/2008 – Early Attacks

The growing popularity of WordPress as a CMS as it approached its five-year anniversary saw the level of attacks increase considerably.

Hackers naturally focused on low-hanging fruit and a wave of exploits targeting SEO and Adsense blogs came to light throughout 2007 and 2008:

TechCrunch WordPress security issues article headline
TechCrunch led with this rather alarming headline.

To make matters worse, WordPress’ own servers were compromised during this time, leading to the inclusion of a potential backdoor in WordPress 2.1.1 in 2007.

The issue was quickly addressed in security release 2.1.2, but did little for the software’s early reputation.

By mid-2007, the subject of security was increasingly a major focus of concern among community leaders, with one of the major long-term effects of this renewed focus being the eventual introduction of the one-click update in WordPress 2.7 (Coltrane).

The previously manual update process had long been flagged as a major stumbling block in getting users to update regularly, a situation that massively increased the number of live sites vulnerable to attack.

2009 – A Renewed Emphasis on Security

2009 saw a further flurry of activity from July through to October with a series of security patches being released, covering WordPress versions 2.8.1 up to 2.8.6.

The situation kicked off with the discovery by CoreLabs of a serious vulnerability affecting versions 2.8 and under. This was resolved with the release of 2.8.1, but it also marked the beginning of a run of releases addressing either overall hardening of WordPress or fixing further acute vulnerabilities.

This sequence came to a close with the Thanksgiving 2009 release of 2.8.6.

Though the long-term effect of tightening up overall WordPress security was incredibly positive, many in the community will remember it as a dark time for the platform, when it seemed like an upgrade was required every other week.

There’s an excellent write-up of this time period over by Jason Cosper at Torque, putting the whole series of incidents into perspective and pointing out the change point for the platform that it represented.

2011 – Issues with Images

The year 2011 was chiefly notable for the large scale arrival of the TimThumb vulnerability, whereby the popular image-resizing utility could be used to load and execute arbitrary PHP code on a server.

Though the original issue was quickly patched and significant additional work was done on the utility in subsequent years, TimThumb remained a target for ongoing attacks all the way up into 2014.

Binary Moon Tim Thumb article
Tim Thumb developer Ben Gillbanks officially retired the code on 27th September 2014.

It serves as an excellent reminder of the persistence of hackers in targeting a route once a vulnerability has been established.

SECURITY

Ultimate WordPress security with WP Defender

Defender protects you against evil bots and hackers with automated security scans, vulnerability reports, safety recommendations, blacklist monitoring and customized hardening in just a few clicks.

TRY WPMU DEV FREE LEARN MORE

2013 – Major Sites at Risk

2013 saw further security feathers being ruffled with the release of a number of reports highlighting the ongoing vulnerabilities of high-profile WordPress sites in the wild.

Security firm Enable Security profiled WordPress sites listed among the top one million Alexa websites and came to the conclusion that out of 42,106 WordPress sites found, 73.2% were vulnerable to attack as a result of running outdated versions of the software.

Though there was some quibbling about the level of threat actually present, the figures did act as a further reminder that regular updating remains a concern even on the biggest of WordPress installs.

A separate report on plugins from Israeli firm Checkmarx found that seven out of the ten most popular e-commerce plugins also contained potential vulnerabilities.

2015 – Major Plugins Compromised

And so we arrive finally at 2015, another year of note.

This has largely been due to the recent discovery of an XSS vulnerability affecting a number of the most widely installed plugins in the WordPress ecosystem.

The list of plugins affected was a veritable who’s who of the WordPress great and good, including Yoast, Gravity Forms and even Jetpack.

Jetpack
Even the world’s biggest WordPress plugins can be vulnerable, but security updates are released near-instantly.

As per usual, the core vulnerability was swiftly addressed in version 4.1.2 but it just goes to show that, even in 2015 with over a decade of active monitoring and hardening of the platform, major security issues can still break out at a moment’s notice.

Learn More on WPMU DEV

In addition to keeping updated, there is of course a much wider set of measures you can take with WordPress to make your site as secure as possible.

We’ve tackled the subject of security on several occasions here at WPMU DEV over the years and provided comprehensive guides to help you keep those digital doors firmly locked.

Review these three articles in particular for full information on steps to take to protect your site:

  1. WordPress Security: Tried and True Tips to Secure WordPress. Jenni McKinnon provided an up to date overview of the topic of general WordPress security earlier in the year. A super starting point if you’re just starting to investigate this topic.
  2. WordPress Security Essentials. Raelene Wilson introduces our five-part video series on everything you need to know to secure your site. An essential watch for site owners.
  3. WordPress Security: The Ultimate Guide. Kevin Muldoon’s 2014 piece is a wonderfully in-depth guide to the steps he took after his own site was hacked. A seriously informative deep-dive into the subject.

Resources Further Afield

The subject of online security is obviously a vast one so we’ll limit ourselves to two solid starting points for further exploration:

  1. Hardening WordPress. The WordPress Codex itself makes an excellent starting point for digging deeper, and there’s no better place to start on there than the section on securing WordPress.
  2. Securi.net. In addition to helping surface this year’s plugin problems, the good people over at Securi have been keeping tabs on WordPress security concerns for a considerable amount of time. Their blog is an excellent resource on online security in general and WordPress in particular.

Conclusion

As you can see from both the historical episodes we’ve highlighted here and the current series of exploits making waves in 2015, security is a subject that WordPress owners need to constantly keep on top of.

The platform itself has taken significant steps over the years to put together a world-class security team, and its reaction to individual exploits has very rarely been less than immediate.

Regular updates and attention to the sort of security resources we mentioned towards the end of the article remain the best way to keep things safe if you are managing your own site.

We’re curious to hear your thoughts on how WordPress has handled this subject over the years and whether you think the latest wave of exploits is a serious blow to the platform’s reputation or not. Share your opinion in the comments below.