The recent case of Ninja Forms
The recent critical vulnerabilities unearthed in Ninja Forms, a popular WordPress plugin, are a stark reminder of the need for developers to engage in routine maintenance that includes continual monitoring, updating, and locking down of all WordPress sites in his/her portfolio.
On January 20, 2021, a threat intelligence team at WordFence informed the developers at Ninja Forms of four critical vulnerabilities which exposed over one million websites with active installations to a potential full website takeover situation. The first listed flaw allowed attackers to redirect site administrators to different locations. The second flaw allowed hackers with subscriber-level access to install a plugin. The third flaw allowed for hackers with the same access level to retrieve the Ninja Forms OAuth key while the fourth flaw made it possible for these hackers to disconnect the site from its Ninja Forms OAuth connection.
Wordfence immediately took steps to protect its paid and free plugin users with adjustments made to its firewall rules while Ninja Forms released a series of patches with the final version addressing all issues released on February 8, 2021.
Hackers scan for outdated, vulnerable plugins
In this case, and as far as we know, it was the savvy threat-intelligence team at Wordfence who first discovered the potential exploits and dutifully brought them to the attention of Ninja Forms in a responsible manner. It is unknown if any hackers discovered the flaws first and managed to take over WordPress sites using these vulnerabilities.
Most assuredly, they will now. If they haven’t already, hackers will begin to unleash bots to scan for and identify WordPress sites with older versions of Ninja Forms.
When critical vulnerabilities are discovered, and new plugin versions with appropriate patches are released, this does little to protect WordPress sites that are not regularly updated. Millions of WordPress sites are left vulnerable due to infrequent or nonexistent updating habits. Hackers send out bots to quickly scan WordPress websites and search for vulnerabilities in the form of old plugins with known security risks. Some of the most common outdated plugins with whopping security risks are File Manager, GDPR Cookie Consent, Page Builder, Duplicator, InfiniteWordPress Client, and Site Kit by Google.
Once a site is identified that contains an outdated version of these or other plugins, gaining control over the site is far too easy.
Privately developed third-party systems are another security risk when they are not constantly evolving and actively maintained to patch for recently discovered threats. Just before the free-speech platform Parler was taken offline by Amazon Web Services, its WordPress-designed site had been breached by hacktivists who took advantage of a security flaw in their poorly designed login system. The hackers downloaded all user data and post data due to the insecure way the posts were sequenced in perfect numerical order.
Keeping in the know
According to WebARX, there are over 30,000 websites hacked per day.
WordPress is used by over 35% of all websites, and these are the sites most commonly targeted by hackers. It’s not because of WordPress core, but most often because of the wide-open doors created by outdated third-party plugins.
There are several free notification services that inform developers of recent critical vulnerability discoveries. WebARX transmits recent vulnerability discoveries to its subscribers and keeps a list of WordPress vulnerabilities open to the public with comprehensive information related to each risk and a place for developers to submit their own discoveries.
Wordfence, the company which discovered the latest Ninja Forms security risk, also provides a free newsletter for security updates.
Protect your portfolio of WordPress sites
Update, Update, Update
It goes without saying that the number one way developers can fortify security on WordPress sites is to make sure all plugins, themes, and WordPress core are updated on a weekly schedule at a minimum. Aside from sites that might suffer due to potential conflict with updates making it necessary to do so manually, enabling automatic updates for all three systems is optimal for developers with a large portfolio.
Another step encouraged by security professionals is to change the WordPress login URL from
/WordPress-login.php to a different URL that won’t be easily guessed by malicious bots and hackers. In this respect, limiting login attempts and enabling two-factor authentication are also recommended.
Most hosting providers offer security options included with plans and/or available as add-ons. These tools help fortify your sites at the server level. For example, Media Temple hosting features a Security Pack powered by Sucuri which includes malware removal, continuous scans for malicious script injections, real-time alerts, customizable firewall, SSL, and geo-blocking.
Updating the PHP version of all websites/servers is crucial. Each new release of PHP is supported for only two years. While under support, these versions are continually updated with security patches and bug fixes. Once that version is no longer supported, a website running it instantly becomes vulnerable to attacks. As of this date, any site using PHP 7.1 or under is at risk.
Security plugins should also be considered. For example, Wordfence offers a free plugin that comes equipped with a firewall, daily malicious script scan, and a manual system to help clean hacked files. They also offer a premium version for more security. Cloudflare mitigates DDoS attacks through DNS redirection and caching.
There are numerous ways WordPress sites can be locked down further, most of which developers are aware of. Remedies such as configuring a server-side firewall, forcing SFTP over FTP, utilizing SSL certificates, enabling backups, moving the well-known WordPress-config.php file to a more secure location, and updating WordPress security keys are all popular techniques among many more that should be implemented.
When critical vulnerabilities are detected, most developers are quick to update and patch their WordPress products. And if a plugin has been completely compromised or appears to have been abandoned, WordPress will remove it permanently from their plugin repository. But updating the plugins and removing plugins that are no longer supported from individual websites are tasks that can only be completed by the website developer.
There is no single remedy to ensure WordPress website security, but there are many methods that can be combined to help thwart hacker attacks. It’s all up to you to put together a comprehensive defense plan.