Our series of security advisor blog posts have talked about WordPress's plugin problem at length. But, today, we're going to shift gears and talk a little about the history of WordPress's ongoing plugin problem. It's important to look at these modules when you're looking at WordPress's overall vulnerability issues. After all, half of the draw to WordPress is that you can download tons of plugins. But what happens when half the plugins you download end up getting your website hacked?
Usually, when people think of vulnerable WordPress plugins, they think a small plugin with a few downloads.
After all, it's not like the major plugins are riddled with issues, right? I mean, if WordPress's top plugins were found to be vulnerable everyone would have heard about it, correct?
So, most people think that popular plugins are safe to download. Somehow the amount of installs corresponds to a plugin's overall safety.
Let's take a quick trip in the time machine and look at why that's not the case. In fact, some of WordPress's most popular plugins have been the exact plugins that are leaky. Let's dive in.
Let's start in 2013, the year that WordPress really started to pick up steam. By this point, WordPress had around 18% of the internet in its pocket, so it's safe to say that it wasn't having any popularity issues.
So, what plugins were vulnerable in 2013? Oh, how about 20% of the 50 most popular ones?
- E-Commerce (+2.2 million downloads)
- BuddyPress (+1.3 million downloads)
- Woo Commerce (you're reading this right!) (+470,000 downloads)
- W3 Total Cache (+1.5 million downloads)
- Super Cache (+3.9 million downloads)
- and lots lots more
In total, 73% of the top 40,000 most popular WordPress websites were subject to vulnerabilities in 2013. A lot of this has to do with these plugins — plus the usual core WordPress vulnerabilities.
Ok, so 2013 was a bad year for WordPress plugins. Surely 2014 is going to be better... right?
Unfortunately, 2014 was far worse than 2013. In fact, one malware alone — SoakSoak — compromised over 100,000 WordPress websites!
What about plugins? How were plugins faring in 2014?
Well, once again, 2014 saw a wave of vulnerabilities in plugins that wasn't just limited to the little guys. Some of the biggest plugins around were responsible for acting as attack vectors for hackers. Here are a few of the plugins that were vulnerable to hacks in 2014. In total, over 30 million websites were subject to vulnerabilities due to plugins in 2014.
- WPTouch (+5.7 million downloads)
- Disqus (+1.3 million downloads)
- All In One SEO Pack (+19 million downloads) Yikes!
- MailPoet Newsletters (+1.8 million downloads)
These plugin vulnerabilities were partially responsible for the massive DDoS attack that took place in 2014. Over 160,000 WordPress websites were used to target various sites in denial of service attacks. Hackers were stealing information, uploading viruses, injecting malware, and using websites resources to take down other websites. It was nasty business.
Oh well, surely 2015 will bring brighter days for WordPress!
"WordPress bug puts millions of site at risk!" was splashed across the front page of major cybersecurity news outlets at the beginning of 2015. This core WordPress flaw made hacking WordPress websites easy-as-pie, and an untold number of websites were hacked. But, that hack wasn't due to 3rd part plugins — it was just your run-of-the-mill WordPress vulnerability that put every single WordPress website at risk of getting hacked. So, we'll ignore that for now. Let's jump into plugin vulnerabilities, which... wasn't much better.
The first significant vulnerability was in Akismet — which is owned by Automattic — which left +3 million users susceptible to hacks. If you're not aware, Automattic is run by the co-founder of WordPress and operates under the domain name WordPress.com. The relationship between WordPress.org and WordPress.com is strong, and Automattic typically gets favoritism just because of the relationship between the two companies.
But, WordPress.com wasn't the only company shipping out leaky plugins. Here's a list of some of the biggest ones to give you an idea.
- Yoast SEO (+14 million downloads)
- WP Slimstat (+1 million downloads)
- NextGen Gallery (+1 million downloads)
- and tons more!
Altogether, there have been well over 30 million downloads from these few listed alone. There were plenty more.
Alright, that has to be the end. There's no way that this trend continues. After all, if this many top WordPress plugins have been vulnerable to hacks over the years, you would have heard about it right? There's no way that WordPress's most downloaded plugins are getting people's websites hacked...
While WordPress was dealing with more core issues (some of which 3rd party security analysts had to fix on their own,) WordPress plugin providers were dealing with a host of their own problems in 2016.
We saw All In One SEO (+30 million downloads at this point) again. This time it had another cross-scripting vulnerability that left millions of websites susceptible to hacking.
There are actually too many plugin vulnerabilities to list here in 2016. If you want an example of how dire the situation was, check out the weekly posts from WordFence — where literally millions of attacks were happening every single week due to plugin vulnerabilities.
We don't want to overwhelm you with bullet point lists. But, as far as we know, All In One SEO was the most prominent vulnerable plugin, but that makes sense, seeing as how it was one of the three biggest WordPress plugins at the time.
Up until now, we've only talked about plugins that contained vulnerabilities. But, what about plugins that purposefully hide malware in their design? There seemed to be a massive stream of these in 2017. Display Widgets (+1 million downloads) was found by WordFence to contain purposeful malware that left over 200,000 websites infected.
At the same time as plugins were being discovered daily to contain malware, huge plugins were trying to patch their leaky scripts. For example, WooCommerce had XSS issues, which is crazy seeing as how 30% of all eCommerce stores that operate on WordPress use that plugin!
This was also the year that security specialists were finally willing to turn their back on WordPress (despite the money involved in working on WordPress vulnerabilities.) Not only did we see some incredible statistics come out (small businesses were attacked 44 times every single day!,) we also discovered that websites that used WordPress plugins were 2x as likely to be hacked as websites that didn't use WordPress!
If you want to see the state of WordPress plugins in 2018, follow our WordPress Security Advisory blog posts — we cover tons of them.
There is an ongoing misconception that a plugins popularity somehow makes it immune to being vulnerable.. it doesn't. It's not the popular plugins are more vulnerable; it's that all WordPress plugins seem to have leaked vulnerabilities over the years.
There is no such thing as a safe WordPress plugin. WordPress's OSS is too open to vulnerabilities and plugins are one of the most efficient ways for hackers to break into WordPress websites.
Are you looking for a CMS that doesn't have vulnerable plugins? Contact us.