paint-brush
Why Most Hackers Prey on WordPressby@ReadLarryReed
180 reads

Why Most Hackers Prey on WordPress

by Larry Reed December 16th, 2019
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

According to BuiltWith, there are 27 million live websites using WordPress. The CMS currently powers 34% of websites, with a market share of 60.8%. 14.8% of the world’s leading websites employ WordPress, including Spotify, TechCrunch, BBC America, the White House website, New York Times and Facebook Newsroom. Hackers see WordPress as an easy and desirable target because of the sheer audience amount and the huge damage potential. The majority of hacks are completely automated and don’t require additional intervention from the hacker.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - Why Most Hackers Prey on WordPress
Larry Reed  HackerNoon profile picture

WordPress has grown to become the most popular CMS in the world. But being in the public eye puts a big and obvious target on its back. Everyone uses WordPress, from a small blogger to Time Magazine. In fact, anyone looking to publish website content can make use of the CMS. It is flexible, extensible, Open Source and most importantly, supported by a large community of active contributors. 

Exactly how Popular is WordPress? 

According to BuiltWith, there are 27 million live websites using WordPress. The CMS currently powers 34% of websites, with a market share of 60.8%. Furthermore, 14.8% of the world’s leading websites employ WordPress, including Spotify, TechCrunch, BBC America, the White House website, New York Times and Facebook Newsroom, to name a few. 

According to Wordpress live activity data, the users of the CMS produce a mind blowing 70 million posts and 77 million comments on a daily basis. Moreover, more than 409 million people view over 20 billion pages each month. WordPress 5.3 download counter reveals that, at the time of writing this article, the CMS has been downloaded over 19 million times. 

The Price of Fame 

Obviously, WordPress’ popularity is exactly what makes it the most common target for hackers. A similar thing happened to the Windows OS while it was still new. Because it was so widely distributed, hackers were able to target vulnerabilities the software developers hadn’t anticipated. Thus, a single hack could potentially affect multiple users. Hackers only needed to make sure the malicious files were easily accessible. 

When it comes to WordPress, there are no such concerns. All hackers need to do is figure out a way to automate an exploit for a vulnerability. The majority of hacks are completely automated and don’t require additional intervention from the hacker. All they need to do is develop a crawler bot that will run malicious code after identifying a vulnerability which allows it to run. The bot is then able to replicate the exploit on the sites with the same vulnerability. With WordPress’ undeniable popularity, this could potentially lead to millions of sites getting hacked at a time. 

WordPress as a Shooting Range

With millions of monthly page views, WordPress has become something of a target practice for hackers. They see WordPress as an easy and desirable target because of the sheer audience amount and the huge damage potential. What the hackers aim for is dealing the most damage with a single blow. Whether it is resources, information or visibility, they are after getting the most out of just one, undetectable exploit. To them, that’s like hitting a jackpot. 

This is exactly what happened in the case of the most famous of WordPress attacks - the TimThumb vulnerability. TimThumb is a PHP script that resizes images to thumbnails. Several solutions even included it as a part of their bundle. Consequently, users didn’t even have to install the plugin separately. It was a vulnerability they weren’t even aware of, resulting in more than 3,000 URLs being infected with malicious code. 

These kinds of attacks are known as cross-site scripting attacks and only require users to visit the infected sites, allowing for the propagation of malicious code. Because of this, the range of damage is maximized and spread exponentially. 

Users Lack Technical Knowledge 

What makes WordPress so popular among users is that it can host anything from an e-commerce site to a forum. This is made possible with the add-ons (widgets, themes and plugins) so even the users who are not tech-savvy can publish content and apply modifications to their site. Because of its apparent ease of use, the majority of users do not realize the technical expertise and amount of work that is required to maintain a website. 

To run a secure WordPress website, one needs to have perseverance and great attention to detail, because even a simple add-on update could crash the entire site. But not performing regular updates leaves the website with various vulnerabilities hackers can’t wait to exploit. Therefore, WordPress users need to learn about the basics of the CMS, what it contains, its various parts, how to perform test updates before actually updating the add-ons. Users lacking the technical know-how should read security plugin reviews and find a reliable security solution that fits the needs of their website. Finding a suitable security solution could help avoid a potentially catastrophic scenario. 

There are far too many users who lack the technical knowledge or time required to make changes to their installations. This makes way for vulnerabilities as there is a myriad of plugins that are not coded accordingly. Hackers love seeing plugins that are not updated and if on top of that, the plugin is used by a large number of users, then they are able to replicate the exploit by identifying the websites using a vulnerable version of an add-on. Basically, the majority of WordPress users are sitting ducks. 

Developers Lack Experience 

Since it is an Open Source CMS, WordPress let’s all community members contribute code. This includes hobbyists, third-parties, experts and novice developers. Each developer has access to community resources, e.g. Wordpress Codex, other websites and forums. There are guidelines but many don’t follow them. And this is another reason hackers love to target WordPress - there is a lot of room for error. 

What is worse, since WordPress announces every vulnerability to the community due to its “security through transparency” model, hackers don’t even have to try hard to find ways to exploit them. They can scan the community for news and exploit the vulnerable websites. Moreover, users who don’t update security patches on time make the entire matter worse. 

Can you Rely on WordPress? 

As we mentioned earlier, hackers target WordPress for the same reasons they target Windows OS - it has the most users. The CMS in itself is not vulnerable to hacking attacks. There haven’t been any notable exploits of its core. This is because WordPress has extremely strict quality control. So the problem lies in their “security through transparency” model. 

Because of that, there exists an illusion that WordPress as a CMS is not safe, which is entirely not the case. After all, there is no such thing as a truly secure website. The fact is that the wide range of different CMS users and developers are not adhering to the crucial security measures, leaving the door wide open for malicious actors. 

So if you are not entirely sure how to approach security of your WordPress website, try finding a security solution specifically designed for WordPress. This can ultimately save you time and money you are investing in your site. Alternatively, start learning right away and use the knowledge to protect yourself and your site before it's too late.