CMS Platforms and Potential "Megahacks"

Submitted by Jon Lebkowsky on .

A recently revealed vulnerability in the Wordpress auto-update process could potentially have resulted in widespread intrusions on websites that were running Wordpress and had the auto-update functionality turned on. Specifically, this refers to automatic background updates: you can set Wordpress to accept core and plugin updates as they're released, so that you don't have to monitor and run the updates yourself. When auto-update is turned on for a Wordpress site, new code is synced from code repositories stored at Github, and for the sake of security, the developers of the code supplied a hashing algorithm to verify that the code updates are legitimate - it's sort of like authenticating with a password.

Since developers were providing their own hashing codes, there was a potential for bad actors to submit hacked code by guessing the algorithm. This could be done with a brute force attack, which means automated processing of a lot of guesses until you make the right guess. A good article at Sophos' NakedSecurity website explains the problem in more detail.

Auto-updates are a good thing if you're managing your own website. It's important to make security updates quickly - once a security issue is revealed, there's an exponential increase in the probability that someone will try to leverage it.

The other option is to process updates to core software and plugins one by one. This is our practice at Polycot Associates, for the websites we manage. This hands-on approach allows us to check whether an udpate causes any issues with the website; it's a more controlled process.

The NakedSecurity article stresses the importance of security updates, noting that in a scan a few years ago, EnableSecurity found that "73.2% of the most popular WordPress installations were open to vulnerabilities that could be detected using free automated tools" and that "the first rule of WordPress security is to always run the latest version of WordPress." They go on to say that "updating quickly is important because attacks against serious CMS vulnerabilities can spread within hours, and there’s obviously nothing the crooks like better than a trick they can use over and over and over to compromise millions and millions of sites."

The auto-update vulnerability described here was discovered by developers of the security plugin Wordfence, which Polycot adds as a matter of course to standalone Wordpress sites that we develop. (An exception is sites hosted at Pantheon, a hosting service that has its own forms of security.)