- AI Collections @Beehiiv
- Posts
- WordPress Plugin Security Uncovered
WordPress Plugin Security Uncovered
How to Limit Security Risks From WordPress Plugins in 2020
Wordpress is the most commonly used CMS for small business websites.
To protect the customer’s website, it is important to search for security vulnerabilities. To resolve the security issues, you can use the WP scanner tool. Through this tool; source code has been examined for about 20,000 plugins.
Here are some of the things that we have learned after examining the results:
Sanitized text field is not secure
The developers found certain XSS vulnerabilities in wordprerss plugin and they are trying to block from the sanitized text filed. In your WordPress website, the role played by sanitizing text function is:
Eliminate all the extra whitespace, breaking lines, and tabs.
Wipeout all the tags.
Search for the corrupted UTF-8
Let's take a plugin for an example. Probe the input field with a simple payload "> , the saved value was /"> which messed up the design a bit, but no JavaScript code was executed. It seems very easy to go wrong so that nothing bad can happen.
Since we can escape the value attribute and set another one, let's create a payload using the "onfocus" attribute and see what happens. Entering abc "onfocus = confirm (1) autofocus =" yes "which added the attribute" onfocus "with the javascript code as a value combined with the autofocus to run the payload without user interaction.
This particular plugin has over 20,000 active installations and requires the "Editor" user type to exploit the vulnerability.
How to Protect the Plug-ins?
When you install the plug-ins, your website can function better but along with it, when we include the plug-in then it also increases the potential threat and widens up the attacker area. You might be thinking about the techniques through which one can limit the risk of potential threats!!
According to the research, the best way for the attackers to attack your WordPress website is through these vulnerable plugins. So, it is important to take a crucial step to protect these plugins that will eventually keep your website safe from the attackers.
Here is a list of things that you should take care of before installing the plug-ins:
1. Use as Few Plug-ins as Possible
With the installation of every plug-in, it widens up the area for the attackers. When you install one more plug-in then it means that you have to rely on another web developer to keep it protected.
2. Only Download Plugins from Reputable Sites
It is highly recommended to download the plug-ins only from reputable websites like WordPress.org. A knowledgeable team handles the website and does all the things in order to safeguard the interest of the consumers.
But, if thinking to install the plug-in from any other random website then you should consider these tips:
Check out the name of the company in the footer section.
Go on the terms of service and their contact address should be mentioned.
3. Choose Reputable Plugins
The next thing to consider is downloading the plug-in from a reputable website. When talking about the WordPress.org website then it provides the full-fledged summary of that specific plug-in. Let’s have a glance over their suggestion:
Make sure to download the plug-in with the latest version.
Before downloading the plug-in, it is important to check the active installation the plug-in comprises.
Make sure that your plug-in is compatible with the website. When you download the plug-in for your website then it will pop up a message “test up to”. So, complete the test and your plug-in is ready to go.
Don’t forget to check the ratings of the plug-in before installing it as it will boost up your confidence.
After installing the plug-in, you should review it periodically to check whether it is functioning properly or not.
Recommended Read - How To Find Malicious code in WP Themes & Plugins
4. Delete Plugins Immediately When You Stop Using Them
When you are not using any specific plug-in for some time then make sure you delete it. Your WordPress website will be safe and secure when it will have less exposure to the plug-ins. So, get rid of the extra plug-ins and keep your website secure.
5. Keep Your Plugins Up To Date
Everyone wants to keep their WordPress website secure and for that is important to install the recent or updated plug-in. From the plug-ins, security vulnerabilities are found. In some cases, the information about the security gap is also leaked to the public. Due to the loopholes, your WordPress site is hacked. Attackers are in search to find a loophole so that they can access WordPress Website, so it is very important to keep your plug-in updated with the latest version so that it minimizes the security vulnerabilities.
Some plug-ins consist of auto-update elements like WordFence. For these types of plug-in, you don’t have to update your plug-in as it automatically gets updated as soon as an update comes and this will help in fixing up all your security issues.
6. Replace Abandoned and Removed Plugins
There are chances when you get bored of some project and you want to get rid of it. The same happens with the authors of the plug-ins also. According to the research, there are almost 46% of the plug-ins that have not been updated from the past two years.
So, do you think the reason behind it is security vulnerability? But the answer is No!! It is advisable that don’t install the plug-in which is not updated as these plug-ins will surely have security loopholes from where the attacker can easily enter your WordPress website.
Along with it, you should also be cautious with the plug-ins that are not present in WordPress.org. There are several reasons why some of the plug-ins are removed from the list and one of the major reasons is they are unable to fix the security vulnerabilities. But they have a policy not to disclose the reason for eliminating any of the plug-ins from a directory, so it is suggested to get rid of all the plug-ins that are not present in the directory of WordPress.org.
User Role and Capabilities
When the consumer starts with their WordPress website then they are assigned with certain capabilities according to their role. The user role means from which community or groups does the consumer belong. Every group has its own rules and capabilities that the user has to follow. Let’s take an example as your WordPress website will contain the role of administrator and other consumers will be assigned with the role of Author or Editor.
In general, terms, when you provide specific permission to the users then it comes under user capabilities. For the administrator, they have the feature of “manage option” from there they can change and save options according to their requirement. On the other hand, editors don’t have the option to change the settings according to their requirements.
Admin will check all the user capabilities at various points. These capabilities can be included or eliminated according to their WordPress experience.
Some of the examples are:
No restriction
The example below creates a link on the frontend that allows you to delete messages. Because this code does not check user capabilities, it allows any site visitor to delete messages!
/**
* Generate a Delete link based on the homepage url.
*
* @param string $content Existing content.
*
* @return string|null
*/
function wporg_generate_delete_link( $content ) {
// Run only for single post page.
if ( is_single() && in_the_loop() && is_main_query() ) {
// Add query arguments: action, post.
$url = add_query_arg(
[
'action' => 'wporg_frontend_delete',
'post' => get_the_ID(),
], home_url()
);
return $content . ' <a href="'%20.%20esc_url(%20$url%20)%20.%20'">' . esc_html__( 'Delete Post', 'wporg' ) . '</a>';
}
return null;
}
/**
* Request handler
*/
function wporg_delete_post() {
if ( isset( $_GET['action'] ) && 'wporg_frontend_delete' === $_GET['action'] ) {
// Verify we have a post id.
$post_id = ( isset( $_GET['post'] ) ) ? ( $_GET['post'] ) : ( null );
// Verify there is a post with such a number.
$post = get_post( (int) $post_id );
if ( empty( $post ) ) {
return;
}
// Delete the post.
wp_trash_post( $post_id );
// Redirect to admin page.
$redirect = admin_url( 'edit.php' );
wp_safe_redirect( $redirect );
// We are done.
die;
}
}
/**
* Add the delete link to the end of the post content.
*/
add_filter( 'the_content', 'wporg_generate_delete_link' );
/**
* Register our request handler with the init hook.
*/
add_action( 'init', 'wporg_delete_post' );
Restricted for Specific capability
This will allow the visitor to go to any specific link and then select “Delete” and can move the post to the trash. Although, the website owner wants that feature can only be operated by the Editor and he is the one who can delete any link.
For this, admin has to change the settings and they have to go on the user capabilities, select edit posts that can be done only through Editors. ate a Delete link based on the homepage url.
*
* @param string $content Existing content.
*
* @return string|null
*/
function wporg_generate_delete_link( $content ) {
// Run only for single post page.
if ( is_single() && in_the_loop() && is_main_query() ) {
// Add query arguments: action, post.
$url = add_query_arg(
[
'action' => 'wporg_frontend_delete',
'post' => get_the_ID(),
], home_url()
);
return $content . ' <a href="'%20.%20esc_url(%20$url%20)%20.%20'">' . esc_html__( 'Delete Post', 'wporg' ) . '</a>';
}
return null;
}
/**
* Request handler
*/
function wporg_delete_post() {
if ( isset( $_GET['action'] ) && 'wporg_frontend_delete' === $_GET['action'] ) {
// Verify we have a post id.
$post_id = ( isset( $_GET['post'] ) ) ? ( $_GET['post'] ) : ( null );
// Verify there is a post with such a number.
$post = get_post( (int) $post_id );
if ( empty( $post ) ) {
return;
}
// Delete the post.
wp_trash_post( $post_id );
// Redirect to admin page.
$redirect = admin_url( 'edit.php' );
wp_safe_redirect( $redirect );
// We are done.
die;
}
}
if ( current_user_can( 'edit_others_posts' ) ) {
/**
* Add the delete link to the end of the post content.
*/
add_filter( 'the_content', 'wporg_generate_delete_link' );
/**
* Register our request handler with the init hook.
*/
add_action( 'init', 'wporg_delete_post' );
}
What do WordPress “nonces” mean?
The word "nonce" is an English abbreviation to indicate that the number is used once. This is a WordPress generated string that acts as a special token and is used to identify the person who performs a specific operation such as submitting a form, deleting an article etc.
Why use nonces?
The main purpose of the nonce is to protect against malicious hacking attacks such as a technique known as “Cross-Site Request Forgery” (CSRF) which involves fooling people into clicking on a link that will cause damage to your site.
Another way to describe a nonce is that it is much like a temporary secret key or fingerprint that is unique to you and can only ever be used by you for a specific operation. This key is extremely difficult to be guessed by someone else.
How do nonces work?
The nonce value is valid for 24 hours after its generation.
This ensures that someone cannot copy an old nonce and re-use it in the URL or when submitting a form.
Nonces are widely used in the core functionality of WordPress without being able to notice it. For example, let's say you are an administrator of a WordPress blog and want to delete a specific user account.
When you click on the “remove” link, WordPress will generate a nonce and it will add in the URL as follows:
The above nonce will be valid only for 24 hours and it can only be used by you and only for that specific operation - which in this case is deleting the user with the id of “2”.
Now let's say the times to delete after successful user you also wanted to delete a message. When you click on the “trash” link to delete the article with id 10, WordPress will again generate a new nonce value specifically for this operation:
Note how the value of this nonce is different from the first and again the applicable rule is here in that it will only be valid for 24 hours and can only be used for the deletion (action bin) of the article with ID 1.
So when a user clicks on a link in the admin panel such as the delete or garbage links in the examples above, WordPress will do some behind-the-scenes checks to verify that the “_wpnonce” parameter is valid. and if and only if it is valid, it will proceed to the completion of the query.
If the value of “_wpnonce” was found to be invalid, then WordPress will not allow operation and the user would be greeted with a screen indicating the error.
• Using Nonces
The next thing to look over is the security of data submission by accessing the nonces. The user capability ensures that the post can be deleted when a specific user has the permission to get rid of the post. The major role of nonces is to look upon whether the current user is intended to do the crucial changes or not.
While deleting a specific post then you will require wp create a nonce feature that will make sure that nonce is added to the link. When you pass this specific argument then it will take care that nonce is added to perform a unique action. And while deleting the post, it is important to check that nonce is doing every bit as expected.
Complete example
Using capacity checks, data validation, secure entry, secure exit, and nonces:
* Generate a Delete link based on the homepage url.
*
* @param string $content Existing content.
*
* @return string|null
*/
function wporg_generate_delete_link( $content ) {
// Run only for single post page.
if ( is_single() && in_the_loop() && is_main_query() ) {
// Add query arguments: action, post, nonce
$url = add_query_arg(
[
'action' => 'wporg_frontend_delete',
'post' => get_the_ID(),
'nonce' => wp_create_nonce( 'wporg_frontend_delete' ),
], home_url()
);
return $content . ' <a href="'%20.%20esc_url(%20$url%20)%20.%20'">' . esc_html__( 'Delete Post', 'wporg' ) . '</a>';
}
return null;
}
/**
* Request handler
*/
function wporg_delete_post() {
if ( isset( $_GET['action'] )
&& isset( $_GET['nonce'] )
&& 'wporg_frontend_delete' === $_GET['action']
&& wp_verify_nonce( $_GET['nonce'], 'wporg_frontend_delete' ) ) {
// Verify we have a post id.
$post_id = ( isset( $_GET['post'] ) ) ? ( $_GET['post'] ) : ( null );
// Verify there is a post with such a number.
$post = get_post( (int) $post_id );
if ( empty( $post ) ) {
return;
}
// Delete the post.
wp_trash_post( $post_id );
// Redirect to admin page.
$redirect = admin_url( 'edit.php' );
wp_safe_redirect( $redirect );
// We are done.
die;
}
}
if ( current_user_can( 'edit_others_posts' ) ) {
/**
* Add the delete link to the end of the post content.
*/
add_filter( 'the_content', 'wporg_generate_delete_link' );
/**
* Register our request handler with the init hook.
*/
add_action( 'init', 'wporg_delete_post' );
}
Securing your Wordpress Plugin
When you know about all the sensitive things then you are capable of keeping all your plug-ins protected. There are some of the plug-ins that consist of secure programming functions that will keep the plug-ins away from any kind of vulnerabilities. When using the WordPress website then you have to check the plug-ins in order to stay on the right track. It is very crucial to sanitize all the inputs before dealing with it.
WordPress website comprises different user permissions. Before selecting any functionality, make sure that you have selected the user type that you want to use. You can protect your website from CSRF attacks with the help of nonces. This will work according to the request received from WordPress and any other external malicious origin.
Conclusion
To keep your WordPress website secure, it is very important to keep a regular check over the plug-ins. This is an ongoing process where you have to keep a constant eye on the risk and ways to manage it. Before installing any plug-ins, you have to go through a critical analysis of whether the plug-in comprises any security loophole or not. Along with it, make sure that you are installing the plug-ins with the latest updates. Make sure to do everything that will keep your website safe and secure from the malware attackers. Keep yourself updated with latest trends in web malware & phishing.