WordPress is a popular target because majority or the web uses it to manage and publish their content. According to the 2016 Sucuri report on WordPress continues to lead the number of infected websites at 74%. This report focuses on four open-source content management systems(CMS). In addition to WordPress, it covers Joomla!(14%), Magento(5%) and Drupal (2%). Sucuri found that on average, WordPress installations had 12 plugins installed at any given time. The top three plugin vulnerabilities contributed to 22% of WordPress site hacks: Gravity Forms, TimeThumb and RevSlider.
I know that sites that we are using for our classes are all WordPress based. It is dangerous if school accounts are hacked. It may lead to identity theft. WordPress is very useful for developers to design but meanwhile, they need to pay attention on the security side of using WordPress.
Link: http://www.infosecurity-magazine.com/news/16000-wordpress-sites-have-been/
I wanna share some snippet from Wikipedia regarding how famous is the security breached and vulnerability in WordPress
Many security issues have been uncovered in the software, particularly in 2007, 2008, and 2015. According to Secunia, WordPress in April 2009 had 7 unpatched security advisories (out of 32 total), with a maximum rating of “Less Critical”. Secunia maintains an up-to-date list of WordPress vulnerabilities.
In January 2007, many high-profile search engine optimization (SEO) blogs, as well as many low-profile commercial blogs featuring AdSense, were targeted and attacked with a WordPress exploit. A separate vulnerability on one of the project site’s web servers allowed an attacker to introduce exploitable code in the form of a back door to some downloads of WordPress 2.1.1. The 2.1.2 release addressed this issue; an advisory released at the time advised all users to upgrade immediately.
In May 2007, a study revealed that 98% of WordPress blogs being run were exploitable because they were running outdated and unsupported versions of the software. In part to mitigate this problem, WordPress made updating the software a much easier, “one click” automated process in version 2.7 (released in December 2008). However, the filesystem security settings required to enable the update process can be an additional risk.
In a June 2007 interview, Stefan Esser, the founder of the PHP Security Response Team, spoke critically of WordPress’ security track record, citing problems with the application’s architecture that made it unnecessarily difficult to write code that is secure from SQL injection vulnerabilities, as well as some other problems.
In June 2013, it was found that some of the 50 most downloaded WordPress plugins were vulnerable to common Web attacks such as SQL injection and XSS. A separate inspection of the top-10 e-commerce plugins showed that 7 of them were vulnerable.
In an effort to promote better security, and to streamline the update experience overall, automatic background updates were introduced in WordPress 3.7
Individual installations of WordPress can be protected with security plugins that prevent user enumeration, hide resources and thwart probes. Users can also protect their WordPress installations by taking steps such as keeping all WordPress installation, themes, and plugins updated, using only trusted themes and plugins,[82] editing the site’s .ht-access file to prevent many types of SQL injection attacks and block unauthorized access to sensitive files. It is especially important to keep WordPress plugins updated because would-be hackers can easily list all the plugins a site uses, and then run scans searching for any vulnerabilities against those plugins. If vulnerabilities are found, they may be exploited to allow hackers to upload their own files (such as a PHP Shell script) that collect sensitive information.
Developers can also use tools to analyze potential vulnerabilities, including WPScan, WordPress Auditor and WordPress Sploit Framework developed by 0pc0deFR. These types of tools research known vulnerabilities, such as a CSRF, LFI, RFI, XSS, SQL injection and user enumeration. However, not all vulnerabilities can be detected by tools, so it is advisable to check the code of plugins, themes and other add-ins from other developers.
In March 2015, it was reported by many security experts and SEOs including Search Engine Land that a SEO plugin for WordPress called WordPress SEO by Yoast which is used by more than 14 million users worldwide has a vulnerability which can lead to an exploit where hackers can do a Blind SQL injection.
To fix that issue they immediately introduced a newer version 1.7.4 of the same plugin to avoid any disturbance on web because of the security lapse that the plugin had.
WordPress’ minimum PHP version requirement is PHP 5.2,which was released on January 6, 2006, 10 years ago, and which has been unsupported by the PHP Group and not received any security patches since January 6, 2011, 5 years ago
https://en.wikipedia.org/wiki/WordPress
Mengxue and Vaibhav, thank you for your valuable and informative points about WordPress’ threats. Apparently, WordPress has a lot of work to do and I hope they are paying attention and take this seriously. Major academic and media organizations, including CNN and Temple, use the WordPress platform for their website. You are right Mengxue when you mention that it would be catastrophic if our school falls under WordPress’ victim list. As a recommendation, I would suggest the Content Management System to review in-house enterprise architecture, policies and technology to align itself with the best cyber security capabilities. This is something WordPress should not take lightly as the CMS leading the number of infected websites with 74%.