Welcome to the Patchstack Weekly Security Update, Episode 54! This update is for week 2 of 2023.
This week's knowledge share will continue the trend of new years resolutions. I am honored to share with you these simple tasks you can do, in hopes you will improve your website and business security maturity as we start this year off by taking responsibility. This week's new years security resolution is all about how to ensure your sites are not running insecure, abandoned, or unsupported components.
This week's vulnerability roundup will include one critical unauthenticated security bug that was patched. I will also share a list of plugins reportedly being targeted by a botnet that is attacking WordPress websites.
In the past week, there has been a lot of news about a botnet targeting WordPress websites. The botnet's behavior is simple, it has weaponized attacks against insecure WordPress plugins. Upon successful compromise of a website, it installs a backdoor or node which will listen for further commands from a central or "Command and Control" server the attacker's control. Which perpetuates further attacks against more websites.
The only surprise is the age of some of the weaponized vulnerabilities this botnet uses are. Full details on the vulnerabilities being targeted were not included in the reports, but some investigations show they are targeting vulnerabilities that were patched back in 2016.
This brings me to the point of this week's knowledge share. This a reminder to ensure your WordPress sites are running updated, secure, and supported components.
Let's walk through how to check that your WordPress websites are running up-to-date software. Don't worry, it won't take long for each site.
First, let's check if your plugins have any updates available. All you need to do is log in to your website's WordPress admin panel and check the plugins and themes tabs. It'll have a red number highlighting the tab to let you know if there are updates available.
These updates could be features or security updates, a default WordPress installation only tells you if an update is available.
To go one step further, we can check if any installed components have known vulnerabilities. This is where a tool like the Patchstack plugin comes in handy. It will tell you if you are running known vulnerable components and allow you to easily update just the insecure components.
This is very handy for detecting insecure components that receive no updates from their developers. Or for any website that is sensitive to applying updates out of fear of breaking the website.
Now that we can confirm the site's components are up to date, or at least up to date on security patches what more is there?
We should confirm the components you chose are actively supported and not abandoned.
Active development is important, you can see this via the last code commit date or via the component's changelog (if one is provided.) If it has been years since the developer's last commit, you may want to reconsider using a project that receives such infrequent updates.
But, slow commits are not a sign of insecurity or abandonment, they are just a sign of slow commits. There is a chance the developer is still active. You can reach out to them via email, or the component's support forums. In fact, if you see the developer is active in the support forums that may be a great sign. Reach out! Ask them how things are going with the project and what the priorities are for the next release.
Engaging with the developers is a fine way to show support for their projects. I'm sure financial donations would also be appreciated too, but sending them a thank you and showing your appreciation and interest in where the project is going is infinitely better than being one more anonymous tick on their project's download counter.
During this process, you may come to a point where replacing a component seems keen. So I will leave you with one last recommendation. If you find yourself comparing two components, both appear regularly updated and well-supported. What could a tipping point be? Well, to me, I would check if they have a mature security posture. Specifically, do they have a vulnerability disclosure policy? Do they make it easy for security researchers to report issues to their team and is the project's changelog include at least a few clearly communicated security updates?
If they do this, then that is the sort of project you know you can trust is supported, will respond to security appropriately, and genuinely cares about their user's safety.
The developers of Membership for Woocommerce released a patch to secure their code against an unauthenticated arbitrary file upload security bug. The plugin only has a few hundred installations, but site owners should apply the most recent update as soon as possible. The CNA that handled this bug report plans to release the proof of concept to the public] on January 25th, 2023. Site owners have only the next few weeks to update.
The security research firm Doctor Web recently released a report regarding backdoors infecting web servers through insecure WordPress websites. This report includes details on the backdoors the botnet was using as well as the insecure components the hackers were exploiting.
Their report lacks vulnerable version ranges for these components, but if you are running any of the following plugins it would be a good idea to make sure you have applied all available updates.
This week's thanks go out to the developers of Membership for Woocommerce, thank you for that quick patch and for securing your user's websites.
A special thank you goes out to Doctor Web, thank you for your honest reporting of botnet activity. Your initial report was clear and even-handed that these were old and publicly known vulnerabilities in these components.
I will be back next week with more security tips, tricks, opinions, and news on the Patchstack Weekly Security Update!