Researchers at Georgia Institute of Technology have
identified malicious plugins on tens of thousands of WordPress websites.
https://www.usenix.org/system/files/sec22-kasturi.pdf
https://omscs.gatech.edu/news/eight-year-study-shows-dark-side-wordpress-plugins
An analysis of nightly backups of over 400,000 unique web
servers has revealed the existence of more than 47,000 malicious plugins
installed on almost 25,000 unique WordPress websites. More than 94% of these
plugins continue to be in use today.
Here are what a few industry experts had to say:
##
Sounil Yu, Chief
Information Security Officer at JupiterOne, a Morrisville, North Carolina-based provider of cyber asset
management and governance solutions:
"This is a widespread problem, not just with WordPress, but
with any software that leverages what I call PITAs: plugins, integrations, and
third-party applications. As with smartphones, PITAs extend the capabilities of
the core product, but they are also a pain-in-the-ass for security teams
because they significantly increase the attack surface of the core product.
Vetting PITAs is also problematic because there are
thousands of these PITAs with no clear provenance, testing results, or data
flow diagrams. Security teams have rudimentary approaches, most often giving a
cursory look at what I call the three Ps: popularity, purpose, and permissions.
Similar to app stores managed by Apple and Google, more vetting needs to be
done by the marketplaces to ensure that malicious PITAs do not create problems
for their customers."
++
Cory Cline, Senior
Cyber Security Consultant at nVisium, a Falls Church, Virginia-based application
security provider:
"WordPress itself generally comes into the picture when
organizations want to save on development costs. Inherently, this moves the
scope of trust to include the developers of WordPress and any plugins in use.
Ideally, development teams should not arbitrarily implement plugins, regardless
of apparent positive reviews. If an organization absolutely must utilize
WordPress, plugins should be thoroughly vetted by experienced development and
security teams before being utilized in a production environment. This is made
easier due to the fact that WordPress plugins are all written in PHP and can
have their source code reviewed at will by anybody who wishes to do so. The
impact of implementing a WordPress plugin that has not been properly vetted
could be nonexistent if the plugin is not malicious and does not contain any
known vulnerabilities. However, a malicious WordPress plugin could ultimately
lead to a full takeover of any affected WordPress instances."
++
Bud Broomhead, CEO at Viakoo, a Mountain View, Calif.-based provider of automated
IoT cyber hygiene:
"WordPress
is very widely used, but not by IT or Security professionals; it's managed
by marketing or web design professionals who are in a hurry and won't typically
check too deeply on security issues. Installing is easy, and removing is
an afterthought or never done. Therefore if the plug in does not perform
the desired function it may remain in the active WordPress deployment for a
long time.
Just
like the attack surface has shifted to IoT/OT/ICS, threat actors aim for
systems not managed by IT, especially ones that are widely used like
WordPress. Even with WordPress issuing alerts about plug-ins being
vulnerabilities, other priorities than security may delay the removal of
malicious plug-ins."
++
Mike Parkin, Senior
Technical Engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation:
"The code driving modern websites has become increasingly
complex, with content management systems (CMS) and their associated plugins
doing most of the work behind the scenes. The days of a webmaster jumping into
a shell and editing in vi are decades in the past. Unfortunately, managing and
vetting all of the plugins that can appear on the WMS marketplaces can be a
challenge. The end users may never even review the code they've installed, and
often don't have the skills needed to identify malicious code even if they did.
The marketplace almost certainly has a policy that forbids malicious plugins,
but they may not have the resources to properly vet everything they host.
While we can hope the marketplaces will do more to prevent or at least remove
malicious plugins when they find them, organizations that use plugins with
their CMS platforms will have to do a better job of vetting the plugins they
choose to deploy. Whether they rely on reviewing the code themselves or using a
security tool doesn't matter. While the marketplace should only host legitimate
plugins, making sure a site is safe ultimately falls to the site's owner."
++
John Bambenek, Principal
Threat Hunter at Netenrich, a San Jose, Calif.-based security and operations analytics SaaS
company:
"WordPress is one of the world's
most popular CMS' that allow anyone to create dynamic websites. The problem is
that it allows anyone to create dynamic websites. Most people have their
websites operate in a "set and forget" mode, which means they have no idea if
there are any changes made as long as the website "works right". Unfortunately,
it takes time and expertise to secure websites so while the barrier of entry
onto the web has never been lower, no one has lowered the barrier to securing
their web presence."
##