Hacking Websites today isn’t nearly as hard as it once was. The open-source WordPress content management system powers more than 71 million Websites, and all an attacker needs to do to potentially hack any one of them is to find an old, unpatched deployment.
WordPress recently updated to version 3.6.1 fixing a number of security vulnerabilities. I have no direct visibility into the specific number of how many of the 71 million WordPress deployments have updated to the latest version, but I know for a fact that not all of them have.
In fact, there are many vulnerable, unpatched WordPress deployments. The technique known as “Google hacking'” can easily identify vulnerable sites. With Google hacking, a search query is entered into a search engine that will search code (for example, https://search.nerdydata.com/). To Google hack a WordPress site, an attacker or security researcher just needs to look for the WordPress site identifier that discloses what version of the software a site is running, in order to find older, unpatched installations.
It really is that easy.
The challenge, from where I sit, is that many WordPress installations are set up and then just not updated. Sure, users will update content and posts, but the core installation isn’t always updated. Recent versions of WordPress have made the need to update more obvious to administrators with a top menu item that indicates that an update is available. Though the update still requires manual human intervention to actually click and update the site, which can often be the stumbling block that is preventing so many WordPress sites from actually being updated.
With the upcoming WordPress 3.7 update set for release by the end of October, that situation could soon change. WordPress 3.7 will likely include automatic background updates for security releases. It’s an obvious (and great) idea and one that browser vendors, including Google Chrome and Mozilla Firefox, as well as Adobe with Flash, have already implemented.
Simply put, automated security updates will keep sites more secure.
WordPress today represents the low-hanging fruit target for an attacker. One can only hope that over time, as WordPress 3.7 and its successors are released, that will change.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.