Three plugins were responsible for 25 percent of all WordPress hacks discovered in the first quarter, Sucuri said in its recently released report on post-hack actions by attackers. According to the report, outdated versions of RevSlider, GravityForms plugins, and TimThumb Script were the leading cause of WordPress site hacks and exploits.
RevSlider accounted for the majority of vulnerabilities caused by the top three outdated plugins, which could in part be because it’s bundled within themes and other frameworks.
“The biggest challenge with RevSlider however, is that it’s embedded within Themes and Frameworks and some website owners are unaware they have it installed until it has been used to adversely affect them via a compromise,” the report said.
The RevSlider vulnerability compromised more than 100,000 sites in December 2014. The effects weren’t felt until 2015, however despite the release of a patch immediately after the vulnerability was disclosed.
In 2012, TimThumb accounted for 49 percent of all WordPress site hacks, and although the fix has been available for years, the vulnerability is still responsible for 6 percent of all WordPress vulnerabilities discovered in the first quarter of 2016.
“What this data, especially the trend with TimThumb, [tells us is] we can expect issues in the out of date, vulnerable, versions of GravityForms and RevSlider to continue to be problems for years to come,” CEO of Sucuri Tony Perez told Torque.
Perez emphasized that this data doesn’t illustrate a problem with plugin developers, but highlights a very real challenge web owners face in keeping their sites and plugins up to date.
“It’s easy to tell someone they have to stay up to date, but it’s a different thing to a) stay current and b) expect website owners to do so,” he said. “We’re facing a real problem of security fatigue amongst website owners.”
The other 75 percent of WordPress exploits in early 2016 were traced to the platform’s extensible components, such as plugins and themes, and not to the core itself. Similarly, a good number of these hacks likely came from exploited out-of-date plugins.
While the report highlights security issues due to out-of-date software, it also notes that WordPress fares much better than its competition when it comes to security, which is likely due auto-update initiatives and other security measures taken by plugin and theme developers.