Mitigating extension vulnerabilities in template-based applications

There are over 43,900 official plugins available for WordPress, another 6,200 for Joomla! and 33,700 for Drupal, not to mention the countless other platforms that are freely and easily accessible. The plugins’ abilities range from adding photos for a personal website to complex development collaboration platforms. It seems there’s almost nothing that can’t be added, modified or extended without plugins or extensions – if you need it, there’s a plugin for that.

The trouble is, that no matter how secure your CMS installation is, adding new functionality, especially from potentially untrusted third-parties, has the potential to introduce security vulnerabilities.

There are currently 74,652,825 WordPress sites in existence on the web, roughly 30,000,000 Joomla! and 1,500,000 Drupal sites (based on the statistics from the respective projects’ websites). That’s a total of 106,152,825 sites based solely on those 3 applications.

The popularity of these CMSs is partially due to the fact that anyone can easily submit a plugin to various repositories, which allows users to easily (and in most cases, freely) download them for both personal and corporate use. Therefore, in many cases, users can easily add functionality to their site at no, or little cost. Unfortunately, this is a double-edged sword.- by allowing for an infinite number of plugins to be installed with little, or no website development knowledge, it can be extremely difficult to ensure that each and every plugin that is submitted has undergone a thorough security audit.

Older plugins are in most cases still available, and to make matters worse, millions of plugins are using old, or outdated software development practices. This is likely because the plugin could have been initially developed for individual use, the developer of the plugin may have opted to share it with the world, but is under no obligation to maintain it. On the other hand it could simply be mediocre, or inexperienced coding that can can cause a security deficiency.

The only way to know for sure, is to look at every extension you’re using and going through every bit of code behind it. Even if everyone had the skill to do so, it would be impractical, and it would largely defeat the entire purpose of using off-the-shelf software to begin with.

There is no such thing as being 100% immune to web security vulnerabilities, and attackers are always looking for a new and easy target to go after. It’s a matter of minimizing the potential of getting exploited. To such an extent, it’s of utmost importance to choose your plugins carefully, and then manage updates for each of them regularly. Below are some recommendations for websites running popular software such as WordPress, Drupal and Joomla!.

Routine maintenance and securing of a web application is a must

  1. Check for updates to both the CMS’ core, as well as plugins, extensions and theme updates
  2. Remove any unused plugins, they don’t have to be in use to be vulnerable
  3. Avoid using any old, or outdated plugins of which maintenance seems to have stopped
  4. Do not use plugins from any source other than a reputable source.
  5. Check the last update date when selecting a plugin, if its not current research it, test it or find another one
  6. Routinely change administrative passwords, and set a high complexity level with numbers letters and symbols.
  7. Restrict admin access to only the IP addresses you need to access it from
  8. Set a custom path for the admin panel. Instead of the standard "/admin_console.asp", change it to something more obscure like "http://www.mysite/U7miSCzSAe9.asp" as that is not as likely to be found by an attacker or an automated scanner.
  9. Get an encrypted connection (TLS/SSL)
  10. Secure your perimeter
  11. Perform regular vulnerability checks with Acunetix Vulnerability Scanner which checks for over 3100 types of web application vulnerabilities.
Share this post

Leave a Reply

Your email address will not be published.