Security Researchers Uncover Massive WordPress Vulnerability
Since the entrance of the word “blog” into our vocabularies in the mid-2000s, the idea of what blogging encompasses has undergone a significant amount of change. What hasn’t changed, however, is a lot of the underlying architecture that powers those blogs. WordPress is among the most popular platforms for creating websites on the Internet. By one estimate, WordPress software is the engine behind nearly 30% of all websites. These aren’t just blogs as such; many other sites run on some variation of the core WordPress software.
Considering the staggering number of pages, one might expect the entire platform to have ironclad security. However, security researchers at WordFence recently alerted WordPress developers of a potential vulnerability that could have compromised every single WordPress-powered site! This issue would have been made possible by attacking one of the major central servers that are key to the way WordPress functions — the API server. These are the units which control and send out the automatic updates as the developers publish them. If someone could gain control of this platform, they could send malicious updates out to every WordPress site that “phoned home” to the update server.
WordFence’s attack exploited a vulnerability in the hashing method for a particular value used to authenticate requests. With a careful approach and an additional exploit that relies on weaknesses in a certain hash algorithm, the researchers could trick the WordPress API server into thinking they had supplied valid credentials.
From there it was only a short leap to gaining access to the most critical parts of the server. Any attacker with the right knowledge and time could likely have accomplished the same. The result, however, would be much worse. As it stands, WordFence quickly alerted WordPress who patched the issue right away. Nonetheless, the researchers note that the API server poses a continuing vulnerability only because there is no fail-safe in place for its compromise.
When we visit webpages, we trust that they’re serving us legitimate content. We verify that confidence in many ways, including SSL certificates. If a hacker could compromise so many websites just by pushing out a malicious update, though, what then? It certainly raises plenty of interesting questions. Going forward, we hope that a greater focus will land on improving the overall security of the WordPress platform. When almost a third of all websites depend on it, robust security is essential.