Attacks on Dropbox, leaks of Snapchat images, nude photos of celebrities published on the Internet… You’ve probably read about some of these high-profile IT attacks that have taken place over the last few weeks.
All websites that have carried these or similar stories have a ‘B-side’. Everything you see is built on a content management system, otherwise known as CMS. Today, the most popular of these is WordPress. No doubt you’ve heard of it, or perhaps you have even used it as a tool to venture into the blogosphere. There are now some 75 million pages running on WordPress. And of course, they are also vulnerable to cyber-attacks.
Being the most popular CMS also makes it the most vulnerable. Not because WordPress has more security holes than others, simply because it is the one that has been most targeted and researched by cyber-criminals.
In recent months, tens of thousands of pages built on WordPress have been hacked. Needless to say this CMS is not perfect and has vulnerabilities, but that still doesn’t explain these mass attacks. “WordPress has been around for a long time, and during that time they’ve had the chance to patch a lot of vulnerabilities and change the way that they develop software in a secure manner,” says researcher Ryan Dewhurst. “They’ve got a great team that knows what they’re doing, and even though vulnerabilities are still found in WordPress, it is less common for them to be found in their core code.”
Dewhurst has published a database of WordPress flaws over recent years, though don’t expect a long list of security holes.
So, what explains the hacking of 50,000 websites last summer? The answer lies not in the WordPress CMS, but in the seemingly inoffensive ‘plugins‘.
Plugins are small additional tools that add new functions to those offered by WordPress by default.
They have however become a real Trojan horse. The problem is similar to the one that has affected Snapchat or Dropbox in the last few weeks. As it is a third-party service, WordPress has no control over the security holes that could be present in the plugins.
There are more than 30,000 of them and monitoring all of them would be a Herculean task for the company. And this is where the cyber-criminals have entered the scene.
What’s the solution?
It would seem then that preventing future attacks is not in the hands of the CMS, though a bit of care on the part of the user could help avoid future problems
In theory at least, one of the solutions is to avoid WordPress altogether. If this CMS is being attacked due to its popularity (according to a report by Imperva, the number of attacks on WordPress websites is 24% greater than those on pages using other CMS), it may be sufficient to stop using it. However, don’t be fooled by the numbers: WordPress suffers more attacks, but other tools like Joomla or Drupal are just as vulnerable.
For now, the best thing is to tread carefully when using WordPress plugins (and other CMS): Running a search to check whether the plugin you want to use is secure or if it is prone to attacks could save you problems in the future.