WordPress Rolls Out Auto Plug-In Updates: A Long-Awaited Security Feature and A Trojan Horse

Last week, developers at WordPress rolled out a long-awaited security feature: Automatic security updates. With 60% of the total market share for content management systems (CMS) and powering 35% of internet websites, WordPress is by far the most popular and most attacked CMS available today. WordPress is an open-source CMS and free to use, or they also offer paid hosting packages to allow anyone to create and run their website. Anyone wishing to start a blog, open an e-commerce store, or put their professional portfolio online can be up and running in minutes on WordPress. 

Photo credit: isitwp.com

Being open-source and dominating with market share gives rise to third-party plug-in developers who develop tools and applications that integrate with the core WordPress platform. If someone wants to add a donation button, there's a plug-in for that. If a website owner wishes to track where users click on their page, there's a plug-in for that. The open nature of the platform allows third-party developers to add additional functionality through plug-ins easily. However, like browser extensions, these plug-ins create a new attack surface for website owners. If a plug-in contains a vulnerability, an attacker could leverage a vulnerable plug-in into full website access. Thus, it is always recommended to keep the WordPress core application and all plug-ins up to date with the latest security patches.

Photo Credit: WordPress.org

Until last week, WordPress plug-ins had to be manually updated, a mundane task for website owners. Many websites are set up in a "fire and forget" manner where the site is set up by a hired contractor and never maintained after launch. According to reports, many of the 455 million websites powered by WordPress still run vulnerable versions of plug-ins for weeks or months after an update becomes available. As researchers and attackers alike discover vulnerabilities in WordPress core and installed plug-ins, websites that did not update would become compromised and serve up crypto-mining malware, act as command and control for botnets, or even act as phishing websites. Compromising long-established sites is particularly useful to attackers hoping to bypass security controls. These websites may have earned a "trusted" reputation and do not set off any alerts for checks on newly registered domains.

Photo Credit: Theregister.com

WordPress version 5.5 finally allows website owners the ability to install plug-in updates automatically. The security community generally embraces automatic updates as an essential feature to maintain the security of information systems. If the world had set Windows to auto-update, the WannaCry attack would have severely limited in its ability to spread. That's because an update was made available by Microsoft for three months, which closed the vulnerability exploited by WannaCry. 

Hardware appliance vendors also realize this pain when attackers actively exploit edge networking devices running a vulnerable version of their code. Citrix, Palo Alto Networks, F5, Pulse Secure, and Cisco are just a few vendors that discovered vulnerabilities in their systems that provided outside attackers with unauthenticated access into the corporate network. If these devices had auto-update available and enabled, organizations would be allowed to rest easier at night, knowing that any discovered vulnerabilities get patched quickly. 

Photo credit: Threatpost.com

The automatic update has tremendous security benefits because it ensures zero-day attacks have a limited shelf life. If attackers discover a new bug, it will be only useful until all of the systems auto-update and close the vulnerability, rather than having a long tail of systems that may take months or years to update, if ever. However, there is a flip side to that coin. Auto-update is a double-edged sword because it can also act as a trojan horse if the supply chain is compromised.

Just like browser plug-ins, WordPress plug-ins provide near limitless add-on functionality to the core platform. Also, like browser plug-ins, they can become compromised to spread malware. Last year, the programming language Ruby had one of its password validation plug-ins compromised and all developers using that component inadvertently compiled code, which included password and information stealers. An attacker successfully guessed the credentials of a contributor to the Ruby project and uploaded a malicious library, which propagated to all Ruby developers who enabled auto-updates for the now-compromised Ruby plug-in. Earlier this year, I also wrote about the compromise of a website belonging to a major health insurer due to a malicious browser plug-in. 

Features like auto-update can act as a trojan horse in two ways. The first is by attacking the supply chain. An attacker will attempt to breach the developer of a plug-in that has a large install base. A compromised version of that plug-in gets uploaded to the code repository and that large install base will automatically download the now-compromised version of the plug-in. The second method is for an attacker to buy a plug-in with a large install base and save the step of phishing developer credentials. Plug-in development typically involves countless hours of development with a limited capability for monetization. Plug-in developers can sell their plug-in for a one-time payday or "rent" their plug-in's install base to a third party for a fee. 

With great power comes great responsibility. It will be up to the individual website owners to determine if the benefits of enabling auto-updates outweigh the risk of updating to a vulnerable or trojaned plug-in. For operating systems such as Windows, where there is a single vendor with a history of responsibly rolling out updates, it is evident that auto-update should be enabled. For WordPress plug-ins and browser extensions where the code comes from multiple disparate parties with differing motivations, that call becomes more challenging.

Whether website owners opt-in for the auto-update feature, standard internet users should take every precaution to protect themselves against compromised WordPress sites. Using a full cloud-based proxy allows organizations to scan every byte of internet data leaving and coming into the organization whether the user is on or off the corporate network. Cloud-based security solutions position themselves better to detect and block these threats while not acting as an attack surface. Cloud-based security solutions are automatically updated to have the latest malware detection and closing any discovered vulnerabilities. Cloud-based security solutions have no longtail of vulnerable devices for attackers to exploit.

Scanning the network traffic ensures that even if a user visits a benign WordPress site, and that site is later updated to deliver malicious code, the cloud-based proxy will detect, block, and alert an administrator of this action. Organizations cannot solely rely on DNS-based or destination-based blocking since the compromised website could have been previous "trusted," then compromised at a later date. Web traffic, including TLS-encrypted traffic, should always be scanned and never rely on reputation.

Automatic updates act as a double-edged sword in the world of information security. In one instance, vulnerabilities automatically get patched and it makes the internet a safer place. In another case, attackers can abuse the auto-update mechanism to deliver malicious updates. Whether a WordPress plug-in is accidentally or intentionally weaponized, a cloud-based security solution offers the most significant opportunity to protect users from malicious plug-ins.

If you enjoyed my article, please follow me on Twitter and subscribe to my weekly newsletter at https://www.chrislouie.net/