The open-source WordPress blog and content management system (CMS) software is widely deployed and is increasingly being targeted by attackers too.
The root cause of a WordPress vulnerability more often than not is an exploitable plug-in, which is what’s going on now with the MailPoet WordPress plug-in. Security researcher Daniel Cid of security firm Sucuri is reporting that a vulnerable MailPoet plug-in is the entry point for malware that is infecting even sites that don’t have MailPoet installed.
The MailPoet vulnerability could enable an attacker to inject arbitrary code on a WordPress server. The security issue reported by Sucuri was fixed in MailPoet version 2.6.7, which was released on July 1.
“To be clear, the MailPoet vulnerability is the entry point, it doesn’t mean your website has to have it enabled or that you have it on the website; if it resides on the server, in a neighboring website, it can still affect your website,” Cid wrote in a blog post. “All the hacked sites were either using MailPoet or had it installed on another site within the same shared account (cross-contamination still matters).”
According to Cid, MailPoet has nearly two million downloads, so the risk of exploitation is high for users that have not yet patched MailPoet.
Looking beyond the MailPoet issue and the risk of unpatched WordPress plug-ins, there is also an ongoing brute force attack against WordPress blogs. In a brute force attack, the hackers try to gain access to a site by automatically trying out a myriad of username and password combinations. The new WordPress brute force attack is a variation on an attack first reported back in March that leverages the XML-RPC (Remote Procedure Call) pingback functionality in WordPress to launch distributed denial-of-service (DDoS) attacks.
According to researchers at the SANS Institute Internet Storm Center, attackers are once again attempting to exploit XML-RPC in WordPress. In the March incident, the attackers were abusing the pingback functionality provided by XML-RPC, which is legitimately used within WordPress to enable content owners to track where their content is getting linked. In the new incident, attackers are abusing the “wp.getUsersBlogs” function, which is intended to provide an administrator with a list of blogs.
There are a number of things that WordPress site administrators can do to limit the risks of the recent round of attacks. The first and most obvious recommendation is to make sure that all plug-ins are updated and fully patched. WordPress also provides a helpful guide on Hardening WordPress that can help mitigate the risk of the brute force attacks.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.