WordPress and information disclosure

Information disclosure is a security issue, in which information is revealed to the user/hacker. Depending on the type of information revealed, the level of security issue varies. Hacking is a trial and error method, the hacker persistently tries new ways to find a loophole in your website or web application. Hackers use these messages to understand the structure of your website server and how you handle the files. Once you know the routine and the layout, you can easily break in.

Security layout

The most common methods used by hackers to raise information disclosure issue are as follows.

Active reconnaissance in which the hacker constantly send different requests to the system to find a weak point. For example, if the version of your web server is revealed and unfortunately if it is out of date, the hacker easily pick his vantage point.

Web server version disclosure

Code Disclosure – Plugins, themes, and libraries reveal their version in a lot of places (CSS files, public changelog, inlined HTML). When you run an outdated version and there are known vulnerabilities for that specific code, criminals can easily take advantage.

Plugin version inlined

Understanding the Routine – certain parts of the server and code have the usual settings. Hackers are also aware of these default settings. If the hacker manages to crack one weak website in shared hosting, then getting into other websites in that server will be an easy job. Another common mistake which we do is using a weak password and a username that is easy to guess. For example, still, most WordPress owners keep their admin username as admin.

Disclosing File Path – we normally use the auto-generated file paths. Hackers send different combinations of file path by putting your website URL at the first. At some point, your website may show a 404 page not found error and 403 forbidden error. From the 403 forbidden error, the hacker can easily understand that your website has the particular file he/she wants.

WordPress and Information Disclosure

As said before, WordPress is an open source platform for developers to build a website easily. WordPress themes are used to bring the look to your website and plugins are used to add functionality to your website. As plugins have the exclusive permissions to handle your website files, hackers mostly choose plugins to exploit your website. The following pie chart shows the most vulnerable part of the WordPress website.

WordPress vulnerability chart

The hackers use different methods to get the information they need. The most commonly used methods are XSS, CSRF, and SQLI. These may sound like Chinese for you, but they all are a very powerful way to harm your site! One of the most common is XSS, cross-site scripting. The XSS not only collects information from your site but also collect sensitive information of the user who is using your website or web application.

Give is a popular donation WordPress plugin used by thousands of WordPress users to donate money to a charity website. This plugin is affected by XSS, which can do a lot of damage when acting as a user. Thankfully this bug is noted and is neutralized within a few days.

Another critical information disclosure issue was found in the Ultimate Member Plugin. The bug in this plugin allows the hacker to read and delete the website’s wp-config.php file, which means a complete website take over. There is also another bug in this plugin which can get the user profile information. This bug is also neutralized within a few days and it is ok to use now.

These are just a couple of random examples, but vulnerabilities in the WP ecosystem are released every day, as you can see on WPVulnDB, containing more than 14.000 vulnerabilities at the time of writing.

Once a vulnerability is disclosed, it is used by the malicious bot to run automated attacks with the purpose to hack as many websites as possible, in order to spread viruses, spam and any kind of bad things.

How To Prevent WordPress Information Disclosure

Preventing information disclosure is not an easy job. You need to prioritize the most important information which can lead to the biggest vulnerabilities. I usually set up custom firewall rules on mission-critical websites, while I try to keep the WordPress environment as secure as possible following some basic best practices, like:

  1. Choose a proper hosting provider –  as you can most of the information is fetched from the server. Most modern server won’t show any sensitive server-side errors to the end users. Those errors can only be seen from the server account dashboard. Take a look at my hosting recommendations, rated mainly using the hosting provider’s security and internal code structure.
  2. Consider Using a CDN- To add an extra layer of security try to your server-side information try using CDN. The CDN providers give you a number of security tool to protect your website, plus your contents also load faster. CDNs have the capability to protect your site from DDOS attacks and also act as a WAF (Web Application Firewall)
  3. Update regularly – From the Give WP and Ultimate Member plugin examples itself you can understand why developers give constant updates to their products. Even if you are using a custom theme and heavily customized plugin, try to update them periodically. I have made a full post on how to update WordPress website properly, take a look at it to know more.
  4. Use Security Plugins – Security plugins are good instruments to scan your website and keeps, check the basic configuration and detect some attacks and malware.
  5. Using strong passwords – there are plenty of free tools for you to generate strong passwords. for example, you can use LastPass’s password generator. To easily manage your passwords you can use tools like OnePassword and LastPass.

If you feel like your WordPress website’s security has already been compromised or you wanna do an assessment of the current security status, the best way would be to hire a specialized company (like Sucuri, which I recommend) or rely on a security professional consultant (you can find one on Codeable).

Leave a comment

Your email address will not be published. Required fields are marked *