Unpatched WordPress installations rife with malware

Filed Under: Featured, Malware, Vulnerability

WordPress logoYesterday the WordPress team gifted writers with the release of version 3.2 of the open source blogging platform. While their focus was rightly on all of the cool new features and enhancements their community will enjoy, I naturally wanted to focus on the changes that may have an impact on security.

The biggest announcement was the new minimum version requirement for PHP and MySQL: WordPress 3.2 will only run on web servers using version 5.2.4 or greater of PHP and version 5.0.15 or greater of MySQL.

This is no doubt good news from a security perspective. PHP 4 hasn't received security updates since 2007 and MySQL 4 hasn't been updated since 2008. If your host doesn't meet WordPress's new requirements, it is time to ask some serious questions about their security procedures to ensure your site remains secure.

As big a step forward as this is, however, it doesn't bring web hosts nearly close enough to versions of PHP and MySQL that could be considered safe to use. And clearly, this doesn't change anything for those users and hosts who aren't in the habit of updating their WordPress to begin with.

I was curious to see if WordPress users whose blogs have been hacked to distribute malware show a consistent pattern of mistakes.

SophosLabsI sampled about the last thirty URLs that SophosLabs detected as hosting infections through compromised WordPress blogs. I then surveyed which versions of PHP and WordPress these users had installed.

Of those, I narrowed down ten sites for which I was able to extract both pieces of data.

For anonymity's sake, I have simply numbered the sites. The first value is the site's PHP version and the second is its version of WordPress:
PHP 5.2.17 not supported

  1. PHP 5.2.16/WordPress 3.1.1
  2. PHP 5.2.11/WordPress 3.0
  3. PHP 5.1.6 /WordPress 2.8.6
  4. PHP 5.2.17/WordPress 2.3
  5. PHP 5.1.6 /WordPress 3.1
  6. PHP 5.2.17/WordPress 3.1.2
  7. PHP 5.2.17/WordPress 2.8.4
  8. PHP 5.2.14/WordPress 3.0.1
  9. PHP 4.4.3 /WordPress 2.9.2
  10. PHP 5.2.9 /WordPress 3.0

Not a single one of these web servers or WordPress installations, nor any I sampled, is up to date. PHP 5.2.17 is the most recent release (January 2011) in the 5.2 series, but this is no longer supported. The current version, including security fixes, is 5.3.6.

Not only are the WordPress versions old, some are VERY old, with dozens of known vulnerabilities. The only current patched version, aside from the new 3.2, is 3.1.4. There have been over two dozen security improvements since the release of 3.1.2, the most recent version in my test.

Not patching our computers, servers and devices leaves the barn door wide open for criminal squatters.

Run your own WordPress installation? Be sure to update your web server, PHP and WordPress installations. I recommend signing up for security notifications from each vendor so you are aware of new versions that plug security holes.

Outsource your blog hosting? Review the policies of your service provider to understand whose responsibility it is to patch the underlying software and WordPress itself.

If all of that is too much hassle, just consider using WordPress.com and let others worry about these pesky version numbers.

, , , ,

You might like

11 Responses to Unpatched WordPress installations rife with malware

  1. Bill · 1154 days ago

    Used WordPress for years. Hopefully my site is too boring for hackers. :D
    http://www.wmghonline.com

    • Chester Wisniewski · 1154 days ago

      Good to see your WordPress is up to date Bill :) It's no guarantee of security, but it is the best place to start from!

      For those of you wanting to make it more difficult to detect which WordPress release you are running I recommend either deleting the readme.html file from the root WordPress directory, or creating an .htaccess file restricting it from being read.

      • Lloyd Budd · 1154 days ago

        Do you feel there is a benefit to hiding the version? It's trivial to identify a site as WordPress, and to test for security issues, regardless of the availability of the version number. At least if the version number is handy, friends can bug you to update.

    • No site is too boring; script kiddies don't need a reason to do their random shight.

  2. Neil · 1154 days ago

    Those PHP 5.1.6 are probably RHEL 5 (or derived). Just from that you can't tell if the php packages are fully patched or not. Just pointing out that enterprise distros patch, and don't increment the base version. Makes keeping all the security patches applied vastly easier. Of course it doesn't help if you install wordpress and never patch it.....

    • Chester Wisniewski · 1154 days ago

      Excellent point. Backporting patches makes identification difficult. If I have time I will check them. If I recall correctly there was one host running RHEL 5 and one host running CentOS, which would make sense from what you are saying... The flip side is that you don't know if those are up to date or not as the version number is static whether you apply the backported fixes or not....

      • neilmukerji · 1154 days ago

        I was going to make the point about RHEL 5 and derivatives (especially CentOS 5). The most recent PHP version there is:

        5.1.6-27.el5_5.3

        If, like me, you are running CentOS 5.6 and you do have the most up to date and secure PHP release for it, you can't move to WordPress 3.2. Sure, CentOS 6 is expected this week, but it is frustrating that WordPress have seen fit to require a version of PHP not yet available on the most popular Linux distribution for web servers (so says Wikipedia!).

  3. neilmukerji · 1154 days ago

    Another point of interest may be whether a WordPress installation was compromised due to the core being out of date, or whether it was the result of an insecure plugin. I would imagine the latter is significantly more common!

  4. Nick · 1154 days ago

    I have also seen a huge surge in sites running CMS Made Simple (CMSMS) that have been hacked in the last 10 days or so.

    The hackers leave the core site intact & functional and just add dozens of extra pages which they stuff with keywords & images for SEO poisoning purposes.

    Most CMSMS sites also seen to display the version at the foot of the page by default which, if you're running an old unpatched version, is like putting up a 'hack me' sign!

  5. Lloyd Budd · 1154 days ago

    I'd love to see a larger sample size. It would be very interesting to look at the date of the last post as well to try to understand if/when the site was abandoned.

    Most (all?) large scale WordPress compromises have been WordPress as the target (WordPress specific payload) not the vector. Not that this is any reason not to stay up to date!

  6. James · 1148 days ago

    Problem is there are to many blog hobbyists using WordPress who have no clue as to how important security is and why security issues that can affect their installs require daily monitoring. The number of insecure blogs out there is staggering. Even worse some hosts who offer one click installs of WP are installing insecure product. You get outdated themes and plugins as part of the one click package. And even versions that are not current and behind by one build.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.