How Vulnerable is Your WordPress Site?
"The WordPress content management system used by millions of websites is vulnerable to two newly discovered threats that allow attackers to take full control of the Web server."
Pretty wild and scary sounding stuff.
The quote referenced above is attributed to an article from Arstechnica (opens in new window), a well-respected, online tech journal. It speaks to the recently discovered and patched vulnerability related to user submitted comments in WordPress. The fact that such a vulnerability exists has gotten many businesses concerned about their website's security. But a more thorough analysis of the security vulnerability reveals that the exploit requires a mind-blowing level of negligence to actually occur.
How Vulnerable is My Website?
Here's some details on how this exploit might still get you into deep doo-doo. To be considered vulnerable, your website must meet three criteria:
- First, your website must be using an installation of WordPress earlier than 4.2.1. At the time of the Arstechnica article, every installation of WordPress was "vulnerable". All 60 million plus. But with the discovery of the exploit, WordPress released the 4.2.1 update, which specifically patched the security vulnerabilities at hand.
- Secondly, your website must use WordPress' default settings for user submitted comments. The default settings for comments require that an administrator or moderator approve all comments.
- Third, is that since any WordPress site will get deluged with spam comments, the administrator has decided to tolerate thousands of spam comments per month in lieu of a spam blocking service. Anyone managing a WordPress site is well aware of the "spam problem".
- The fourth requirement is that a site administrator would need to read the spam comment and purposely approve it. So, in order to be vulnerable, you, as the site administrator, would have to read and approve that 64K spam comment that's probably full of nonsense, and its payload of a small bit of JavaScript. It is this small bit of JavaScript contained within the comment that is at the heart of the vulnerability.
If the site is not actively administered, the comment will never get approved, and nothing bad happens. If your administrator uses common sense and deletes the shady looking spam comment, than the comment gets deleted and nothing bad happens. If you update your website with the new patch, the entire vulnerability is erased and nothing bad happens. The only scenario where something bad happens is if the website's administrator is negligent, does not update your WP installation, and knowingly approves a spam comment.
The Actual Risks
It shouldn't be a shock to anyone, that today's Internet, particularly those websites that rely on online ad revenue, are motivated to produce headlines and stories that generate the most clicks and page views. While the security vulnerability patched by 4.2.1 was real and dangerous, when you take into account the absurd levels of ignorance needed to make your website vulnerable, it really makes it a lot less scary. These were our biggest takeaways from the whole ordeal:
If you have no need for comments, disable them.
As everyone who has used WordPress for any length of time knows, the Internet is awash in spam. Comment spam is as bad, or worse than email spam. Any WordPress installation that has comments enabled, is going to get flooded with spam; hundreds, if not thousands, of spam comments per month. It's simply not worth the risk. If you have no need for comments, disable them!
If comments are required, use third-party plug-ins to help manage them.
Many websites benefit from discussion that occurs in user-generated comment sections. In these situations, it is best to use an anti-spam service like Akismet (opens in new window), to filter out spam, or a comment service like Disqus (opens in new window). In fact, you pretty much have to, or your site will be 95% spam, and no one will bother reading it because its full of worthless garbage.
There is no substitute for a little common sense.
To work effectively, the security vulnerability requires that the malicious comment be greater than 64K in size. To put this into greater perspective, 64K is several type written pages of text. Reading the contents of this message should indicate that the message is spam. As much as this is a technical exploit of WordPress, it requires that someone who manages your website not use common sense.
Web Servers are not really at risk.
Arstechnica mentioned in their article that the danger wasn't isolated to websites, but actually mentioned "web servers" as a potential target. That's probably a typo, but it sure sounds a lot scarier and is sure to generate more clicks. In fact, such a thing is only possible if someone with even less common sense than your negligent web admin is running the server. In any default installation, a hijacked website, no matter how badly hijacked, cannot take control of the web server.
Always update and patch your installation of WordPress.
Security vulnerabilities are a reality of the Internet, now and long into the future. The only way to minimize the chance of security issues affecting your website, is to be vigilant in maintaining your content management system and any third-party plugins you have installed. Patch your sites as soon as patches are released. Some are more serious than this. And it is the right, sensible thing to do.