The Wordpress update crisis

Wordpress is a common target for hackers looking for web sites to exploit and use for nefarious purposes such as distributing malware to visitors, sending spam emails or launching DDoS attacks.

The Wordpress update crisis

Wordpress is by far the most popular web site Content Management System in use today, beating out its two big open source rivals CMS of Druapl and Joomla by quite some margin (http://w3techs.com/technologies/overview/content_management/all). This popularity is part of the reason that Wordpress has a thriving ecosystem of plugins, themes and developers - which in turn serves to further boost the popularity of the platform - but it also makes Wordpress a common target for hackers looking for web sites to exploit and use for nefarious purposes such as distributing malware to visitors, sending spam emails or launching DDoS attacks.

Abusing Wordpress

There are a number of method that hackers use in order to gain unauthorised access to Wordpress installations, including brute force attacks to discover the password for an account with administrative access to the Wordpress dashboard, using keyloggers or other such malware to retrieve the credentials from a machine used to access the Wordpress admin dashboard, but one of the most common ways is simply to exploit known security vulnerabilities in older versions of either Wordpress itself or the various third party plugins and themes which are inevitably installed.

As part of my day to day work, I spend a considerable amount of time handling abuse matters, a lot of which involve compromised web sites. Whilst web sites powered by the other popular open source CMS such as Drupal and Joomla have their fair share of security incidents, the sheer popularity of Wordpress means that it is the most commonly exploited CMS that I see. A lot of these abuse incidents are ultimately traced back to out of date versions of either Wordpress itself or third party plugins and themes. This isn't the only problem by any means, but it is by far the single biggest cause, despite updating Wordpress being a very simple and straight forward process.

When we speak to clients about the problems that we have found with their web site (either as a result of an abuse report or discovered from our own internal security scanning), we often find that the web site owner has no idea that they need to keep Wordpress up to date and in many cases they don't even know that they are running Wordpress at all! There are many different ways that people can end up using Wordpress for their web site or blog, but one very common one is for web designers to use a CMS such as Wordpress when building a web site due to the powerful, flexible platform that it provides. Unfortunately, when the finished site is handed over to the client there is often no mention of the underlying Wordpress system or what the client needs to do in order to maintain it appropriately.

How bad is it?

To see just how bad the Wordpress update situation is, I grabbed the version number for every Wordpress installation present on each of the web facing servers under our management. The first statistic I found goes to show just how popular Wordpress is - 85.2% of the servers that I looked at had at least one Wordpress installation running on them, and every single server which didn't have any Wordpress installations present on it is only being used for running one or two specific applications by the clients in question.

Of all of the Wordpress installations that I found, 86.6% were not running the latest version of Wordpress (4.4.1 at the time of writing). This isn't quite as bad as it initially seems, as currently Wordpress versions 3.7.x, 3.8.x, 3.9.x, 4.0.x, 4.1.x, 4.2.x, 4.3.x and 4.4.x are all still receiving security updates. These major versions make up 68.8% of the Wordpress installations that I looked it, or to put it another way - 31.2% of Wordpress installations examined were running major versions of Wordpress which aren't even eligible for security updates!

Over half of installations are vulnerable.

At the time of writing, the latest minor versions of each of the respective major versions of Wordpress which are still receiving security updates are 3.7.12, 3.8.12, 3.9.10, 4.0.9, 4.1.9, 4.2.6, 4.3.2 and 4.4.1 - all of which were released on the 6th of January 2016 (https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/). If you treat all of these releases as the latest available versions of Wordpress, then 51.2% of the installations examined still aren't running a version of Wordpress which contains all of the available security patches. Whilst much better than the initial figure of 86.6%, this still means that over half of the Wordpress installations I examined have some form of known security vulnerability present in them.

Even more worrying is that if you look just within the Wordpress installations which are running the various major versions which are still receiving security updates, 29.0% of the installations are still running an out of date minor version of Wordpress! This is particularly worrying given that Wordpress 3.7 introduced automatic updates for Wordpress itself (but not themes or plugins) and coincidently, 3.7.x is currently the oldest version of Wordpress still receiving security updates, so Wordpress installations running version 3.7.x and later should really be being kept up to date automatically. By default these automatic updates are only for minor versions within any given major version, but clearly in some cases that isn't happening for some reason.

Don't forget the plugins!

All of the above statistics are just for the core Wordpress installation, they don't take into account all of the various themes and plugins which are installed into Wordpress and can have just as serious security problems. Given the number of Wordpress installations which are out of date despite the availability of automatic updates, it is safe to assume that the situation with plugins and themes is just as bad - which seems to tie in with our general experience handling abuse incidents.

What to do?

I would be interested to know if these statistics match what other hosts are seeing or if they are in some way skewed, but either way it is clear that something needs to be done in order to improve the situation - it just isn't immediately obvious what this should be. I suspect that education will play a big part - the Wordpress update process is very simple, but that does't help if you don't know about it. Finding out why automatic updates seemingly aren't being applied will also be crucial - is there something wrong with the automatic update system or is it just being disabled for some reason.

Another option is to see if some web site owners would benefit from moving away from Wordpress altogether - not everyone needs the power and flexibility that the Wordpress platform and supporting ecosystem provides. Often Wordpress is just used as an easy way for the end user to be able to update the web site content and that is something the can be accomplished with the likes of our web site builder system. The advantage of such systems is that they are an entirely managed platform and so the web site owner doesn't need to worry about the platform itself and instead can focus on their web site content.

We already contact clients about out of date software such as Wordpress that we discover as a result of our investigations into possible abuse incidents, but to date we haven't been doing anything to proactively notify clients of security updates to Wordpress or other applications as this would be a time intensive, manual task. Some of the software that we use such as Softaculous in cPanel or the Application Vault in Plesk does send out notifications when new versions become available, but these notifications don't specify whether they are for a security update or just a general release. After seeing just how bad the Wordpress update situation is, I will be looking to put together some scripts to at least partially automated this task so that we can begin informing clients on a much larger scale and educating them as to what steps they need to take in order to keep their web site safe and secure.

Make sure you're up to date

Whether you host your web site with us or not, if you're running Wordpress then please go and check that it is fully up to date. If you have plugins installed that you aren't using then remove them, and any third party plugins you are using should be updated. Likewise, remove themes that you don't need and update any that are left. The best way to keep your website secure is to make sure it is always kept up to date.

Fun statistics

I'll leave you with a few other interesting statistics that I discovered whilst writing this blog post:

  • 4.9% of Wordpress installations that I examined are still running version 2.x and 38.9% are still running version 3.x.
  • The oldest version of Wordpress that I found was 2.0, which was released on the 31st of December 2005 (https://wordpress.org/news/2005/12/wp2/) - over 10 years ago!
  • There were 109 unique versions of Wordpress in use among all of the installations that I examined.