WordPress dominates the internet landscape, powering 43.5% of all websites – approximately 478 million sites worldwide. Its popularity stems from several key factors: a user-friendly interface, regular updates and improvements, extensive functionality, versatility, and the fact that it’s open source. However, with such a prominent use, a critical question is raised: How secure is it?
At its core, WordPress is recognised as being secure. A dedicated security team maintains and updates the core software, with regular patches addressing vulnerabilities. The open-source community also contributes significantly to identifying and resolving security issues.
Yet, WordPress’s greatest strength – its adaptability through plugins, themes, and add-ons – ironically introduces its most significant security challenge. This versatility creates a paradox: the very features that make WordPress so powerful also increase its vulnerability.
CVE-2024-28000, an unauthenticated privilege escalation vulnerability affecting one of the most popular and commonly used plugins, LiteSpeed Cache, has been found to potentially impact over 5 million sites, leaving them vulnerable to takeover attacks.
This vulnerability allows an unauthenticated user to gain administrator-level access, effectively allowing an entire take over of the website. An attacker can then install malicious plugins, redirect traffic, or even distribute malware to unsuspecting legitimate visitors.
According to WordPress security firm Wordfence, this vulnerability is now being actively exploited; with reports of only 30% of the plugin’s users running a safe version of LiteSpeed.
Additionally, proof-of-concept exploit scripts are already available to exploit CVE-2024-28000, as seen on Github
Vulnerable versions of the plugin include all versions up to, and including 6.3.0.1, and is highly recommend updating to version 6.4.1 as soon as possible. Alternatively, you can uninstall this plugin from a WordPress environment to avoid being vulnerable.
Maintaining a secure WordPress site involves several considerations, ensuring that your website has the most reduced attack surface possible. If you utilise WordPress, consider doing the following as proactive steps to avoid attacks:
- Avoid using cracked or untrusted plugins/themes
- Only install plugins that you need – each plugin used creates an additional attack vector!
- Consider utilising a security plugin, such as WordFence Security
- Keep WordPress itself, themes and plugins updated
- Use strong and unique passwords for all accounts, including Administrator accounts.
- Ensure you are using a secure hosting provider.
Further reading:
