A History of WordPress Security

A Storied History of Security Vulnerabilities

This Blog series is focused on the latest WordPress security issues, but, today, we're going to take a trip back in the WordPress security time machine. Let's have a glance at the history of security and WordPress (spoiler alert -- it's not pretty.)

To really understand the history of WordPress's security, you have to go back to 2008.

2008 (The Beginning)

There were WordPress hacks before 2008, but WordPress wasn't very popular yet, so there wasn't a ton of press on WordPress vulnerabilities at the time. The first time we really started to see WordPress vulnerabilities exposed was during the 2008 hacking fiasco, The hackers primary attack vectors during this fiasco were your WordPress site root directory, wp-config.php file, .htaccess files, plugins and themes - just to name a few.

WordPress was starting to gain some traction by 2008, and, at the same time, it was starting to get a pretty nasty reputation for its security measures (strange...)

In 2008, TechCrunch picked up the WordPress hacking fiasco story with some bold statements.

"If you are currently not running the latest version of WordPress then there is a very high chance that your site has already been compromised." - TechCrunch

Of course, this was just the beginning of a crazy journey through WordPress's ever increasing list of vulnerabilities. In fact, WordPress users were already starting to get wary by 2008, because 2007 saw WordPress's own servers undergo a series of attacks and generate vulnerabilities that were built into the WordPress patches themselves.

2009 (The Year of Vulnerabilities)

We give the WordPress security team a hard time; it's true. Usually, it's because they completely fail to patch vulnerabilities in a timely manner(for years sometimes) but since 2009, they have been releasing a massive amount of security updates.

2009 was the first year where we saw a ton of security updates that required website owners to upgrade WordPress. This theme has carried on. Unfortunately, the theme of hackers finding vulnerabilities within days of each upgrade has also carried on.

Take a look at the list of vulnerabilities that 2009 brought to WordPress here. 2009 also included this bad boy, which allowed just about anyone, anywhere, to completely hijack your website -- no hacking, no authentication and little knowledge required.

Needless to say, 2009 was a bad year for WordPress security. Next year will be better right?...., right?

2010 (TimThumb)

It's one thing to have vulnerabilities that exist via extensions, but it's another to have built-in vulnerabilities. It's even another to have built-in vulnerabilities that plague you for, say, 5 years…

2010 was another big year for hackers, and there were lots of WordPress updates and vulnerabilities, but we want to focus on a biggie -- TimThumb. Why do we want to focus on TimThumb? We think it's a pretty good example of the state of WordPress security, and, in particular, WordPress's insane ability to ignore vulnerabilities for a very long time.

TimThumb is the name of a .php file in WordPress that contains image sizes. So, scripts, themes, extensions (really everything) used scripts that would change file dimensions within TimThumb for years. And, for all of those years, websites were getting hacked. A lot of websites.

2010/2011 was the time when some of the first reports started getting filed on TimThumb. Websites were getting compromised, and hackers were literally shooting commands at websites and shutting them down using vulnerabilities in TimThumb. Here is a post on a security blog from 2011 regarding the issue.

Ok, so, websites are getting taken down using a vulnerability in a core element of WordPress; they'll fix that quickly right?

Good one…

In 2014, TimThumb was still being used — and widely — to hijack websites across WordPress. Hackers were still deleting critical website files, WordPress was still ignoring it, and thousands of websites were still vulnerable. That's almost 5 years. Let's say that again -- Five Years. TimThumb remains as one of the top three plugin security risks to this day, according to Sucuri’s most recent Hacked Website Report.

2011 - 2013 (Bigger Websites Fall Harder)

2011 was around when WordPress started to dominate the OSS CMS market. Tons of websites were flocking to WordPress because it was free, and WordPress is pretty good at sweeping their security issues under the carpet.

This is about the time that WordPress went from "issue-prone" to downright vulnerable. 2011 - 2013 saw over 50 vulnerabilities surface - many of which were easy-to-do. Hackers were taking down huge websites and DDOS everything from companies to political campaigns.

This is around the time that videos started popping up showing people taking over WordPress websites in 5 minutes (and with ease.)

2013 - Current

Don't expect a happy ending to this story. From 2013 - 2018, we have had well over 275 core vulnerabilities that have been discovered within the WordPress framework. Countless others for all the free and commercial plugins out there. We like to keep you guys informed about the latest ones here on our blog. WordFence reported in 2017 how even the WordPress installer can be used  by a hacker to take control of your website.

Simply put, things aren't getting better; they're getting worse. WordPress continues to struggle with security issues - most of which arise due to its open source nature.

How to Protect Your Website

If your looking at this WordPress security history and thinking "How do I protect my website from all of these vulnerabilities?" that's great!

A quick Google search will turn up a number of results like this one, that will provide you with a 23 step checklist; including installing WordPress security plugin, banning IP addresses, steps to limit brute force attacks, two factor authentication (2FA), protecting your wp admin username, limiting login attempts, things to look for in a the shared hosting provider, automatic updates and more. It’s a good article if you have the knowledge and time, or resources and budget, to continually monitor your website to ensure it remains secure.

Or…

We have a really easy trick for you to try. This quick trick will boost the security of your website exponentially.

1. Go to your WordPress website.

2. Think really hard about how valuable all of your information and privacy is.

3. Think about how much your visitors mean to you.

4. Visit QuickSilk.

5. Switch from WordPress to QuickSilk.

You did it! Your website is now safe, secure, easy-to-use, and it has an expert team of support agents ready to help you at any time by phone, email or in-app.