In dealing with hacked websites we often not only have to deal with cleaning up the hack but also trying to clear up misinformation that people hiring us have run across before coming to us. One area of that we used to deal with a lot, were people that were sure there websites were hacked due to usage of outdated software, often the software in question being WordPress, despite there not being any vulnerability in the version in use that would have been likely to be something that a hacker would actually try to exploit. That wasn’t all that surprising since you often have, among other things, security companies that don’t properly deal with hacked websites that will simply claim that outdated software was the cause of a hack instead of trying to determine how websites actually were hacked.
Misinformation continues to be put out along those lines, as a blog post on the The SSL Store that recently showed up in a Google Alert, which we have to keep track of vulnerabilities in WordPress plugins for our Plugin Vulnerabilities service, shows. In looking at that we saw two key things that we thought were worth pointing out about the security of WordPress and security in general.
Outdated Doesn’t Necessarily Mean Insecure When It Comes To WordPress
While there certainly problems with the handling of security of WordPress, other things are done better than other web software, which you might not know of due to the poor quality of coverage of its security.
One area that WordPress has been ahead of other software is in its update mechanism. WordPress has long allowed easy updating of itself. Things got better in WordPress 3.7, which introduced automatic background updates. While that features allows doing any type of update automatically, by default what it does is automatically apply minor WordPress updates without requiring any action the people managing the website. So for example WordPress would normally automatically update from 4.9.4 to 4.9.5, but wouldn’t go to 5.0 automatically.
Alongside that feature WordPress started releasing security updates for older versions of the software as minor updates. So even websites still running versions back to 3.7 are currently getting security updates. That post missed that entirely. Instead treating websites that were running the latest minor releases of version 4.7 and 4.8 as if they were insecure, despite having the same security update as the latest version of 4.9.
Most Vulnerabilities Are Not a Major Threat
One of the problems we see not just with WordPress, but in general is that people don’t have an understanding that not all vulnerabilities are of equal concern and risk of being exploited. What certainly doesn’t help that is that security companies often vastly overstate the threat from vulnerabilities they discover or are discussing.
The reality is that most vulnerabilities out there are not likely to be exploited. With WordPress there was about a decade where despite numerous vulnerabilities being found and fixed there wasn’t any successful hacking at any significant scale of those vulnerabilities. That streak was broken early last year with a vulnerability that had existed in WordPress 4.7.0 and 4.7.1. But even with that vulnerability the impact was fairly limited, as most websites had been automatically updated to 4.7.2 before exploitation started and for most websites still vulnerable, it only lead to the contents of post or pages being modified. That meant that cleanup was easy as all you had to was replace that content and normally WordPress have prior versions stored that could be reverted to. So the even for websites where the automatic background updates were not working for some reason and the website was not manually updated before exploitation started, the vulnerability was more of a nuisance.
You wouldn’t know that from that post since there was this inaccurate quote from a security professional:
When a vulnerability is found in a version of WordPress, hackers will create an exploit for that vulnerability and then cast a wide net, usually in an automated fashion, looking to see who is not up to date. Realize the importance of a “wide net”, they don’t care who you are or what you do, just that you have a site. Once compromised, the hacker will then see what they can get from their site such as account information and then maybe try to use that information to attack other systems that you may have. At the very least, the hacker will trash your site or use it to store data of importance to them (stolen data, illegal pictures, etc.). The result, at the very least, is a bad public image when it is discovered that your site was compromised.
Again, a lot of vulnerabilities in WordPress simply would not lead to hackers doing anything that would impact the average website. Also, when it comes to the average website getting hacked, the hacker is usually using it as part of spam or malware campaign (with spam being more common these days with the hacked websites we are brought in to deal with) and the hacker doesn’t care about any data on the website.
Another inaccurate quote in that post from a web develope is as follows:
Once your website is hacked it’s very difficult to repair. Essentially, hackers who get in to your website will create new hidden entry points and unless you close them all, it’s easy for them find a way back in. The results are horrible for the business.
As the example of the vulnerability in WordPress 4.7.0 and 4.7.1 shows, the impact can be less than what they described there. It also important to note, because we sometimes have people that contact us that believe their only option is to start over with a new website, if you hire someone that properly cleans up websites (which unfortunately isn’t the case with many security companies), it shouldn’t be too difficult for them to get the website fully cleaned up in almost all cases. It would be much better to do the things that will actually keep a website secure than hiring someone to clean it after not doing those things or spending money on a security service that isn’t actually focused on keeping websites secure, though.