With over 50,000 plugins and themes, WordPress is one of the most shared content management systems (CMSes) in the world, enabling pros and novices alike to create excellent websites with ease. But WordPress is also a focus of cyber-criminals finding ways to unleash their disruptive operations, with great success and readily available production options.
SEO Spamming continues to be a top objective
For branded blogs, the hijacking of WordPress for SEO spamming raises significant problems.
- In a newly uncovered event, a new cyber crime group leveraged weak WordPress pages to install scammy e-commerce stores to lower the rating and credibility of a site’s search engine.
- Via brute-force attacks, the attackers gained access to the site’s admin account, after which they overwrote the main index file of the site and added malicious javascript.
- To maintain a steady influx of SEO spam connections, researchers have also found that attackers insert malicious PHP files into WordPress pages.
Vulnerable themes and plugins fuel more attacks
In addition to SEO spamming, WordPress plugins provide cybercriminals with a handy avenue to attack.
- An ongoing large-scale attack involving mass scanning of WordPress pages with Epsilon System themes vulnerable to Feature Injection attacks was recorded on November 17 by Word fence researchers.
- These insecure themes, built on more than 150,000 pages, could lead to a complete site takeover.
- Also, instances of insecure WordPress plugins such as Ultimate Member and Welcart e-Commerce were found to be impacted by extreme vulnerabilities during early November that could cause attackers to hijack pages.
In this mess, WordPress is not alone
- Equally lucrative options for cyber-attacks are not only WordPress but other CMSes like Drupal and Joomla.
- Recently, administrators of sites operating on Drupal were advised to patch a safety hole that depended on the trick of the double extension.
- Drupal developers believed that the weakness was because sure” file names were not sanitized by the Drupal CMS, enabling any malicious files to slip through.
Main Takeaways
It is no wonder that unpatched bugs in the core applications of WordPress are driving cyber attackers’ disruptive ambitions. Plugging security vulnerabilities at the right time and following best cyber security practices is also a solution to cyber attacks to secure WordPress pages.
