Sorry for the hiatus, I’ve been very busy lately with a few things and I haven’t had much time to update! I have quite a few blog posts nearly ready so don’t expect me to be gone again! In my last blog post I bemoaned the respectability of WordPress Security at conventions and among other security professionals, and I will go on my blog rant here instead. Everytime I go to a security conference and tell people I specialize in wordpress security people laugh at me. “No one can secure wordpress!” “Why bother securing it?”

In fact almost every time I bring it up I’m ridiculed. I hope that this post changes your mind.


WordPress sites are being assembled into huge botnets

A few weeks ago, a huge DDoS Attack was orchestrated by using script injections into Weibo Analytics, turning many sites into zombie sites for this attack. This attack took down github and was kind of a big deal. This is not the first time sites have been used in DDoS attacks, and I suspect it is the beginning of a growing trend. Wouldn’t it be nice if there was some kind of platform that 74,652,825 sites were hosted on that I could turn into zombie machines for my lovable botnet?


Oh wait, there is. WordPress. In fact, if I had to choose a platform to start babby’s first botnet, it’d be wordpress. Apparently other hackers do too. These botnets have been used in DDoS attacks but also in malware, cross site script injections, and plain ol’ blackhat SEO tactics. If I had a dime for every time a WordPress site was advertising a Chinese Pharmacy, I could probably become a Chinese drug lord.

WordPress Plugin Hacks are Incredibly Cheap

WordPress plugin hacks are literally so abundant they cost less than $15 to buy. That’s insane, because that means there are so many available, and the amount of work it takes for your average script kiddie to find a plugin to sell is probably a few hours at most.


This is a serious problem and no one is addressing it. In fact the problem with WordPress plugin security is so serious that the FBI are even kind of pissed off about it.


From their recent press release:

Methods being utilized by hackers for the defacements indicate that individual Web sites are not being directly targeted by name or business type. All victims of the defacements share common WordPress plug-in vulnerabilities easily exploited by commonly available hacking tools.

That’s right, the state of security in WordPress is so awful, that the FBI basically had to release a PSA to warn people that their site is pretty much open for anyone to exploit as long as they have an internet connection.

Everyone has a WordPress Site

I mentioned this number earlier but I’ll repeat it: 74,652,825.


That is the number of wordpress sites that exist on the internet today (about the same as the population of Turkey). How much of the internet is that, you may ask? 22% of all sites in the United States run WordPress alone. That’s a lot of websites, that’s a lot of people who are running insecure platforms. That’s kind of a big deal. If you’re ignoring WordPress, if you think that WordPress doesn’t matter to you or your business or your security model, just look around you and say “One in every Five sites is probably going to get hacked soon”


Not only is WordPress widely used, it’s trusted by users who don’t know enough about security to know how to secure their sites:

If plugins and core are not secured before the end user gets their fingers on it, then you might as well pretend it’s not there at all. Would you sell a house without any locks? Probably not. Would you ship a wordpress plugin without auditing your own code first? Yes.

It’s only going to get worse

If we don’t start addressing these problems now, we’re going to be screwed in just a bit. WordPress is downloaded 10,000 times per day, and 289 plugins are added to the repository every day. This is a huge number, and this is a huge number of potential bots and attackers. These malicious attacks are only increasing in frequency, and they’re obviously easy to find (and sell). Some of the biggest companies rely on WordPress. We need to start taking it seriously before we have huge sets of zombie sites roaming around like it’s Dawn of the Dead.

Even if you don’t run WordPress, you’re going to get attacked by WordPress sites. Even if you don’t run WordPress, you’re going to run into WordPress blogs with malicious code. Even if you don’t run WordPress, you’re going to be affected by the sheer amount of sites that do.


We can’t avoid WordPress anymore. We can’t just avoid 22% of the internet in the US. We can’t keep telling other people that WordPress is just terrible so we’re going to ignore it. WordPress security might have been a joke in 2003, but in 2015 it’s swollen in impact and size. We’re effectively kidding ourselves if we think just ignoring WordPress is going to make the problem go away, or we can somehow sidestep the issue by telling ourselves it’s impossible.

It’s Fixable

WordPress is open source, and while sometimes the IRC is insufferable, they’re really welcoming to new people contributing. I know coding for free is probably the last thing you’d like to do, but it’s good karma.

Plugin developers are clueless, but they’re not stupid. The average PHP developer probably thinks about security for all of ten seconds when they’re developing a platform.


However I’ve noticed most plugin developers are very responsive when you find a bug in their code. If you’re running plugins, audit them, and report back to the community. The plugins are community based, why can’t security reporting be? If we all chip in a little, we can make the world a better place. If I can make clueless users a little less vulnerable while helping my own sites, I can sleep a little better at night.

Let’s make WordPress Security a thing, and not just a thing to laugh at. And that’s my piece.