WordPress

WordPress is a CMS platform for personal blogging, a popular content management system (CMS) in the world.

The system has a number of possibilities to simplify the process of creating online publications as much as possible. The product is distributed freely, in accordance with standards.

Platform and Licensing

WordPress is available under GPL version 2, an open source system.

Required for use PHP (version 5.2.4 or higher) and (MySQL version 5.0.2 or higher).

History of creation

2023: BI.Zone WAF protects against vulnerability

The rules BI.ZONE WAF allow you to protect against attacks vulnerabilities CVE-2023-6063 exploitation in the WordPress WP Fastest Cache. The company BI.Zone announced this on November 22, 2023. More. here

2022

Discovery of a Linux backdoor that hacks WordPress sites

Dr.Web On December 30, 2022, the company "" announced that it had identified malware for, OS Linux which hacks sites based on CMS WordPress through the operation of 30 vulnerabilities in a number of plugins and themes for this platform. If sites use outdated versions of such plugins without the necessary fixes, malicious JavaScript scripts are injected into the target web pages. After that, when you click mouse anywhere attacked on the page, users are redirected to other resources.

Cybercriminals have been attacking WordPress-based sites for years. Information security experts monitor cases when various vulnerabilities of the platform and its components are used to hack Internet resources and inject malicious scripts into them. An analysis of the detected Trojan program conducted by Dr.Web specialists showed that it could be the malicious tool with which attackers carried out such attacks for more than 3 years and earned money on reselling traffic - arbitration.

The malware, named Linux.BackDoor.WordPressExploit.1 by Dr.Web, is designed to run on devices running 32-bit Linux operating systems, but can also function on 64-bit systems. Linux.BackDoor.WordPressExploit.1 is a backdoor that attackers control remotely. On their command, he is able to perform the following actions:

• attack a given web page (site);
• switch to standby mode;
• Complete your work;
• Stop logging of actions performed.

The main function of the Trojan is to hack websites based on the WordPress content management system and inject a malicious script into their web pages. To do this, it exploits known vulnerabilities in WordPress plugins, as well as in website design topics. Before the attack, the Trojan contacts the control server and receives from it the address of the web resource that needs to be hacked. Then Linux.BackDoor.WordPressExploit.1 takes turns trying to exploit vulnerabilities in outdated versions of the following plugins and topics that can be installed on the site:

• WP Live Chat Support Plugin
• WordPress – Yuzo Related Posts
• Yellow Pencil Visual Theme Customizer Plugin
• Easysmtp

• WP GDPR Compliance Plugin

• Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972)
• Thim Core

• Google Code Inserter

• Total Donations Plugin
• Post Custom Templates Lite
• WP Quick Booking Manager
• Faceboor Live Chat by Zotabox
• Blog Designer WordPress Plugin
• WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232, CVE-2019-17233)
• WP-Matomo Integration (WP-Piwik)
• WordPress ND Shortcodes For Visual Composer
• WP Live Chat
• Coming Soon Page and Maintenance Mode
• Hybrid

If one or more vulnerabilities are successfully exploited, malicious JavaScript downloaded from a remote server is injected into the landing page. In this case, injection occurs in such a way that when an infected page is loaded, this JavaScript will be initiated the very first, regardless of what content was on the page earlier. In the future, when you click anywhere on the infected page, users will be redirected to the site they need.

An example of injection in one of the hacked pages:

The Trojan program keeps statistics of its work: it monitors the total number of attacked sites, all cases of successful use of exploits and, in addition, the number of successful exploits of vulnerabilities in the WordPress Ultimate FAQ plugin and Facebook-messenger (recognized by the extremist organization and prohibited in) Russia from Zotabox. In addition, it informs the remote server about all identified open vulnerabilities.

Together with the current modification of this Trojan program, experts also revealed an updated version of it - Linux.BackDoor.WordPressExploit.2. It differs from the source address of the control server, the address of the domain from which the malicious script is downloaded, as well as an expanded list of exploitable vulnerabilities for the following plugins:

• Brizy WordPress Plugin
• FV Flowplayer Video Player
• WooCommerce
• WordPress Coming Soon Page
• WordPress theme OneTone
• Simple Fields WordPress Plugin
• WordPress Delucks SEO plugin
• Poll, Survey, Form & Quiz Maker by OpinionStage
• Social Metrics Tracker
• WPeMatico RSS Feed Fetcher
• Rich Reviews plugin

At the same time, in both versions of the Trojan, unrealized functionality was discovered to hack the accounts of administrators of attacked websites by brute force (brute force) - selecting logins and passwords from existing dictionaries. It can be assumed that this function was present in earlier modifications, or, conversely, planned by attackers for future versions of the malicious application. If such an opportunity appears in other versions of the backdoor, cybercriminals will be able to successfully attack even some of those sites that use the current versions of plugins with closed vulnerabilities.

Doctor Web recommends that CMS WordPress site owners update all platform components in time, including third-party plugins and themes, as well as use reliable and unique logins and passwords for accounts.

GoTrim botnet brute-force passwords for WordPress site administrators

Fortinet FortiGuard Labs researchers discovered a malicious campaign in which a Golang-based botnet hacks WordPress sites to then seize control of target systems. This became known on December 15, 2022.

This brute-force method is part of a campaign that analysts called GoTrim because it was written in Go and uses the string "::: trim:::" to separate data transmitted to and from a C&C server.

The GoTrim campaign has been tracked since September 2022 and uses a botnet to execute DDoS-attacks when trying to log on to the target web. server After hacking, the operator installs the PHP bootloader script on a compromised host, which is designed to deploy a "bot client" from a hard-coded - URL address, adding the machine to the botnet.

GoTrim is not capable of self-propagating, delivering other malware, or maintaining consistency in an infected system. The main goal of GoTrim is:

• Receiving further commands from the C&C server
• brute-force attacks on WordPress and OpenCart using the set of credentials provided; data
• operation in server mode, when the HPE starts the server to listen to incoming requests sent by the attacker (only if the compromised system is directly connected to the Internet);
• simulating legitimate requests from the Mozilla Firefox browser in the 64-bit version of Windows to bypass protection against bots;
• bypassing CAPTCHA protection on WordPress sites.

While this malware is still under development, having it have a fully functional WordPress brute force tool combined with its bot evasion techniques makes it very dangerous, the researchers say.

Brute force attacks can compromise the server and deploy malware. To reduce this risk, website administrators should make sure that user accounts (especially administrator accounts) use strong passwords^[1].

Millions of WordPress sites could be taken over by one plugin

Security researchers have discovered a massive campaign that tested about 1.6 million WordPress sites for a vulnerable plugin that allows you to download files without authentication. This became known on July 15, 2022.

The attackers target the Kaswara Modern WPBakery Page Builder plugin, which was abandoned by its author before the critical CVE-2021-24284 vulnerability was fixed. The vulnerability allows an unauthorized cybercriminal to inject malicious JavaScript code into sites using any version of the plugin, and download and delete files, which could lead to a complete seizure of the site.

1,599,852 unique sites were hacked, only a small part of them use a vulnerable plugin. According to the Wordfence Threat Intelligence Team report, attacks have been ongoing since July 4, with an average of 443,868 attempted attacks every day. Attacks are carried out from 10,215 different IP addresses, with some generating millions of requests and others limited to fewer.

Attackers send a POST request to "wp-admin/admin-ajax/php," trying to use the AJAX function of the "uploadFontIcon" plugin to load the malicious payload containing the PHP file. This file invokes the NDSW Trojan, which injects code into JavaScript files present on target sites to redirect visitors to phishing and malware sites.

Users should remove the Kaswara Modern WPBakery Page Builder Addons plugin from their WordPress sites. If the plugin is not used, users are still advised to block the IP addresses of attackers^[2].

Detection of more than 47,000 malicious plugins with the Yoda tool

The YODA tool has detected more than 47,000 malicious Wordpress plugins. This became known on June 2, 2022.

Malicious plugins have been installed on more than 24,000 sites.

Of the total number of malicious plugins, 3,685 were sold at trusted trade sites and brought 41,500 to attackers. US dollars The tool is designed to detect malicious WordPress plugins and track their source. This is possible thanks to the analysis of files the code on the side servers and the associated metadata for detecting plugins. After the plugin is discovered, syntactic and semantic analysis is launched to identify malicious behavior.

YODA helped a team of researchers at Georgia Tech obtain the results of the study, which was conducted over 8 years.

Attackers spread malware by posing as authors of useful and secure plugins, researchers say in their work.

The number of malicious plugins on websites has grown steadily over the years, with malicious activity peaking in March 2020, the researchers said. They were shocked by the fact that 94% of malicious plugins installed in 8 years are active until June 2022.

A large-scale study analyzed WordPress plugins installed on 410,122 unique web servers starting in 2012. The researchers found that plugins totaling $834,000 were infected by attackers after deployment.

YODA can be integrated directly into the site, the web server - hostingprovider or deployed on the plugin marketplace. The semantic model of the tool allows you to detect web shells, secure password execution of embedded code, code obfuscation, loaders, malware SEO disabling and. cryptocurrency miners

Using our tool, site owners and hosting providers can detect malicious plugins on the web server, and plugin developers and marketplaces can check their plugins before selling, researchers noted[3] than[4].

Fix a vulnerability that allows a remote attacker to execute arbitrary code on servers

On May 18, 2022, it became known that tens of thousands of WordPress sites were attacked by attackers.

Hackers spend millions attacks exploiting the vulnerability of the WordPress plugin Tatsu Builder, which is installed on about 100,000 sites. Tatsu Builder is a plugin that offers powerful template editing tools integrated , right in. Experts web browser estimate that up to 50,000 sites are still using a vulnerable version of the plugin, although a patch with the patch has been available since early April. The first massive attacks began on May 10, 2022 and peaked four days later.

The CVE-2021-25094 vulnerability allows a remote attacker to execute arbitrary code on servers with an outdated version of the plugin (all assemblies up to 3.3.12 are considered outdated). The vulnerability was discovered by independent researcher Michel Vincent, who publicly announced it on March 28, 2022 and posted a code for testing the exploit concept. The plugin developer fixed the vulnerability in version 3.3.13 and on April 7, 2022 urged users to apply the security patch as soon as possible.

Wordfence offers security solutions for WordPress plugins and monitors ongoing attacks. Researchers estimate between 20,000 and 50,000 sites are using a vulnerable version of Tatsu Builder. Wordfence says it stopped 5.9 million attacks on its customers on May 14, 2022. A couple of days later, the number of attacks decreased, but hackers even on May 18 continue to exploit the vulnerability.

The attack takes place so: malefactors try to introduce a harmful dropper under a name.sp3ctra_XO.php and a MD5 hash 3708363c5b7bf582f8477b1c82c8cbf8 in a subfolder of the wp-content/uploads/typehub/custom / catalog and to make it the hidden file.

Wordfence reports that more than a million attacks were carried out from three IP addresses: 148.251.183 [.] 254.176.9.117 [.] 218 and 217.160.145 [.] 62. Experts recommend that plugin users blacklist these IP addresses and update Tatsu Builder to version 3.3.13 to avoid the risk of^[5].

2021: 1.6 million WordPress-based websites attacked

On December 10, 2021, the developers of the WordPress security plugin, Wordfence, announced a long-running attack targeting WordPress-based websites using certain add-on utilities. The developers said that in 36 hours 1.6 million WordPress websites were attacked from 16 thousand different IP addresses.

WordPress security company Wordfence, which revealed details of the attacks, said on November 9 that it had detected and blocked more than 13.7 million attacks targeting plugins and topics within 36 hours to hijack websites and carry out malicious activities.

We are talking about Kiwi Social Share (<= 2.0.10), WordPress Automatic (<= 3.53.2), Pinterest Automatic plugins (<= 4.14.3) и PublishPress Capabilities (<= 2.3). Атакой hackers were also affected by the Epsilon Framework and their corresponding versions:

• Activello (<=1.4.1);
• Affluent (<1.1.0);
• Allegiant (<=1.2.5);
• Antreas (<=1.0.6);
• Bonkers (<=1.0.5);
• Brilliance (<=1.2.9);
• Illdy (<=2.1.6);
• MedZone Lite (<=1.2.5);
• NatureMag Lite (known patch not available);
• NewsMag (<=2.4.1);
• Newspaper X (<=1.3.1);
• Pixova Lite (<=2.0.6);
• Regina Lite (<=2.0.5);
• Shapely (<=1.2.8);
• Transcend (<=1.1.9).

Most of the attacks seen by Wordfence involve the attacker updating the "users_can_register" setting (i.e., anyone can register) to be enabled and setting the "default_role" setting (i.e., the default role for users who log into the blog) to an administrator, thereby allowing the attacker to register on vulnerable sites as a privileged user and seize control.

The number of intrusions increased sharply only after December 8, indicating that "a recently fixed vulnerability in PublishPress Capabilities may have prompted attackers to attack various arbitrary parameter update vulnerabilities as part of a massive campaign," said Chloe Chamberland of Wordfence.

Site owners should check the settings on their website to see if the site has been attacked. If the "Anyone Can Register" parameter is activated and the new user role is set to "Administrator," they should change these settings and immediately check the list of users, as well as update the plugins.^[6]

2018

WordPress accounted for 90% of CMS hacks

In March 2019, information security research company Sucuri ranked the most hacked content management systems (CMS). About 90% of attacks in 2018 came from WordPress, against 83% the year before. The share of hacks of other CMSs is shown in the diagram below. Read more here.

A third of sites use WordPress

The Austrian company W3Techs, which researches the Internet, has compiled a report on content management systems (CMS). It turned out that almost every third site in the world is built on WordPress.

In W3Techs, using special software, more than 10 million of the largest sites on the Internet were analyzed (according to Alexa's rating, only second-level domains are taken into account in statistics). During the analysis, subdomains were counted as one site, and forwarded domains were excluded.

Approximately 30% of the sites studied use WordPress. In 2015, this figure was measured at 25%, and in 2011 - 13%. Thus, in seven years, the share of the platform has more than doubled.

If we take only web resources created and managed using any CMS, then the share of WordPress in 2018 exceeded 60%. More than half of the sites do not use any CMS and are created from scratch.

The top three most popular CMS platforms when considering all 10 million sites included Joomla (3.1%) and Drupal (2.2%). Next are Magento (1.2%) and Shopify (1%). In other systems, the shares do not reach 1%.

The W3Techs study also says that the majority of verified web servers are managed Apache httpd (47.1%), second (37.3 Nginx %), and third - Microsoft IIS (10.2%). At the same time, 67% of sites  Unix are served by similar OSs, and 33% function under management. Windows Social network widgets are installed on 21.9% of sites: a block is installed on 10.9% of sites, 9.1 Facebook% - and 5.9 Twitter % -.Google +1

By March 7, 2018, the most current version of WordPress is 4.9.4, which was released in February - the day after the release of update 4.9.4, in which the developers spoiled the automatic update mechanism, which allows CMS to update itself, without user input.^[7]

2017: Infographic on the use of the product in the world

In March 2017, some facts were presented about the use of Wordpress in the world.

2015: WordPress quits PHP

On November 24, 2015, it became known about the modernization of the dashboard of the WordPress blog platform. The release was called Calypso^[8].

WordPress Ads (2015)

Among the changes in the release:

• the code is completely rewritten from PHP to JavaScript using Node.js and React libraries
• platform foundation entirely on open APIs
• adaptive design for all devices and screen sizes
• control panel for several sites from one administration section at once

The creators promised to increase the speed of work and simplify the interface.

Development began in early 2014. The management of the development team explained the changes by the gradual aging of the platform and the fact that some of the advantages of WordPress, being such, simultaneously prevent the platform from developing.

Blog hosting has WordPress.com restarted and is based on Calypso. Users using WordPress on their own hosting can switch to Calypso using a special plugin.

2014

According to official figures, in February 2014 it was used on approximately 75 million websites, the market share is about 22%. In April 2014, it was reported that Automattic, a platform development company, plans to raise $100-150 million in investments.

WordPress 4.0 Beta 1

On July 18, 2014, it became known about the trend in the orientation of the WordPress blog platform towards the growth of the number of mobile users and its adaptation by developers to the conditions when the number of bloggers and blog readers opening the service from tablets and phones, and not from stationary computers, is constantly growing.

According to testing conducted by Testize, WordPress 4.0 Beta 1 performed better when displaying information on mobile devices than on the main browsers of stationary computers.

• All devices download information without failures or missing items;
• The content is aligned with the width of the device without horizontal scrolling;
• The page width is automatically adapted to the resolution of the device screen, and the left quick navigation menu moves to the bottom of the page on devices with a small resolution.

According to the researchers, the new version of the WordPress 4.0 blog platform is a promising novelty adapted for use from mobile devices even better than from desktop computers. Small flaws take place: small controls, no optimized quick navigation menu.

Hackers hacked more than 100,000 websites on Wordpress

Over 100 thousand sites on the Wordpress platform were hit by the 2014 coronavirus virus, Sucuri reports. According to preliminary data from experts, the virus spread thanks to a vulnerability in a popular Wordpress plugin called Slider Revolution^[9].

Experts performed the analysis after Google placed over 11 thousand domains on the black list. When you try to access such a site in Google search results, the user sees a warning that this resource may harm his computer.

The fact that Slider Revolution Premium contains a critical vulnerability (in 4.1.4 and older versions), experts reported in early September. The flaw was fixed in version 4.2, released in February 2014. But administrators of many sites on Wordpress did not complete the update.

The vulnerability allows access to the Wordpress configuration file located at the root of the site - wp-config.php. This file contains the site database settings, including the name and password to access it. Data Base contains all content on the website, including authentication information. Thus, having access to it, you can gain control over the entire resource.

"The biggest problem is that this plugin, which contains a vulnerability, is part of many themes. Stores with themes paid for this plugin themselves and now offer it to users, whether they need it or not. That is, many of them may not even know about its presence, "said Sucuri analyst Daniel Cid.

2003: Matt Mullenweg gets WordPress trademark rights

In 2003, Waldrigi ceased development and the author of WordPress is Matt Mullenweg, he owns the rights to the WordPress trademark.

2001: Michel Valdrigi sets about developing b2 engine

In 2001, Michel Valdrigi began developing the b2 engine. Matt Mullenweg and Mike Little later joined the project.

Main functions

Management and Administration

Local installation

WordPress is designed to be installed on a Web server that provides control over the blog. You can also install the system on a regular home computer or deploy it on the Intranet.

Portable base

You can customize the tree of linked WordPress files that form the blog's back-end environment and these files can be located in the same directory as the blog or elsewhere.

Compatibility with UTC

WordPress allows you to define the time of a blog as an offset from Universal Coordinated Time (UTC), and therefore all elements associated with time are stored in a database with GMT values ​ ​, which is a universal standard.

gzip support

The user can save traffic by turning on gzip mode in the WordPress settings, while the system automatically packages the contents of pages for sending using gzip if the browser of the site visitor supports this function.

User Management

WordPress uses control at the user level when accessing various features, so it is possible to limit each user in creating or editing blog content, changing the level of access for him.

User profiles

A profile setting is available for each user: email address, instant messengers, etc. Users can control the display of this data in the blog.

Dynamic Page Generation

Pages do not need to be rebuilt every time you update information or change any aspect of the blog. All pages are generated using a database and templates each time a blog page is requested by the browser. This means that updating the blog or its design is as fast as possible, and the required disk space on the server is minimal.

Internationalization and localization

Users can create a blog localized to their needs and displayed in the required languages.

Links

The official website of the project In Russia, there is a community that supports and develops a localized version of the product.

Notes