In June 2013 Checkmarx’s research lab did a one of a kind comprehensive source code audit to test the state of security of WordPress most popular plugins. Checkmarx’s identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common web attacks such as SQL Injection and Cross-site scripting vulnerabilities, which could allow malicious users to steal data from target WordPress installations and deface them.
The idea to do a security code analysis test of WordPress plugins originated because although there are rules as regards coding standards, there are no security guidelines or requirements that WordPress plugins developers could adhere to, hence why most probably WordPress has also become one of the most popular target for malicious attacks.
Note: WordPress plugins are like extensions that can be installed on a WordPress blog or website to enhance the basic operations of the open source blogging platform. For more information about WordPress plugins, read Everything you need to know about WordPress Plugins.
WordPress Plugins Vulnerabilities and their Impact
If more than 20% of the top 50 WordPress plugins are vulnerable to common attacks, this means that around 8 million online WordPress blogs and websites (around 2.4% of the web) are vulnerable to such attacks. If a malicious hacker exploits any of the discovered WordPress plugin vulnerabilities, he or she can gain access to sensitive information stored on the websites themselves, such as customer’s contact details, usernames and passwords, health records and financial information.
Some other detected vulnerabilities also allow a malicious hacker to deface the WordPress blog or website or redirect visitors to another attacker-controlled website which typically contains malicious code. Such a large number of vulnerable WordPress installations is a perfect platform for malicious hackers to launch a mass infection and malware distribution, as already happened in the past.
Timeline of WordPress Plugins Vulnerabilities Analysis
- Checkmarx launched its first code analysis in January 2013. The 50 most popular WordPress plugins were analysed, and also the top 10 e-commerce plugins.
- During the survey, 18 vulnerable WordPress plugins were identified. These plugins were downloaded 18.5 million times.
- Checkmarx alerted the plugin developers and worked with them to close the security holes.
- Until June 2013, a new version of all vulnerable WordPress plugins was released.
- In June 2013 Checkmarx launched another code analysis against the 18 WordPress plugins which were previously identified as vulnerable to common web attacks.
State of Security of WordPress Plugins
- After the June 2013 code analysis, Checkmarx noticed that:
- 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks.
- 7 out of top 10 most popular e-commerce WordPress plugins are vulnerable to common Web attacks.
- There is no correlation between the number of Lines of Code and the vulnerability level of the plugins.
- There is no common type of WordPress plugins which are vulnerable. The types vary from e-commerce solutions, feed aggrators, social networking plugins, WordPress development plugins and more.
- Only 6 WordPress plugins fixed and closed all reported security holes after 6 months.
Recommendations for WordPress Owners
There are several things that you as a WordPress owner can do to ensure that the WordPress plugins you use on your WordPress do not have any security holes that malicious users could exploit to attack your website or blog. Follow this WordPress guide to choose the best WordPress plugin to learn how to analyse WordPress plugins and ensure that secure and well maintained ones are installed.
If security is not your cup of tea and you are not sure if your WordPress is secure or not, you can hire WordPress security specialists to do a WordPress security audit.
Recommendations for WordPress Plugins Developers
Writing secure code is crucial when developing a WordPress plugin because your business and plugin reputation will be damaged if the plugin you are developing contains a web vulnerability that is widely exploited. It is of a good practice to do several WordPress plugin security code audits during the development cycle. The later the security vulnerability is discovered, the higher the cost of fixing it, so act today.
If you are developing a WordPress plugin it is recommended to do frequent security code audits. You can use the free RIPS CodeRisk scanner for source code analysis. Read our interview with the RIPS CodeRisk scanner co-founder to learn more about their free offering. They can guide you and assist you with developing a secure WordPress plugin.
The Checkmarx whitepaper about the state of security of WordPress Plugins can be downloaded from here.