The emergence of significant security vulnerabilities<\/a> this year\u00a0has yet again reminded us of the need for ongoing vigilance and the importance of keeping sites updated.<\/p>\n In this article, we’ll cover a selection of the major WordPress security exploits to date and what they meant for both users like you and the future of WordPress.<\/p>\n Before we delve into the past though, let’s fill in some blanks on the subject of WordPress security in general.<\/p>\n Continue reading, or jump ahead using these links:<\/p>\n Security has been on the WordPress community’s radar from the very beginning for good reason and is a critical part of the project as a whole.<\/p>\n A measure of how high up the priority queue security\u00a0is can be seen by going to the about page of WordPress.org<\/a>\u00a0where the security section<\/a>\u00a0is very prominently displayed.<\/p>\n If you haven’t previously read the WordPress security white paper<\/a>, it’s worth taking a few minutes to go through it.<\/p>\n It provides a succinct overview of the project’s approach to security and covers a number of useful points including the following:<\/p>\n The quickest way of getting an overview of how much activity there has been on the WordPress security front over the years is a quick visit to the WordPress Security Archive<\/a>:<\/p>\n There\u00a0you’ll find details of all security releases to date conveniently assembled in one place.<\/p>\n As can be seen from the entry log, security issues have a tendency to come in flurries and we’ll be going into the details of some of these shortly.<\/p>\n As Matt Mullenweg never fails to point out, the single biggest security improvement you can make to your site is making sure it is constantly up to date<\/a>.<\/p>\n Ongoing attacks are unfortunately a fact of online life, but the community has an excellent track record of addressing them quickly and transparently.<\/p>\n Let’s move on to some of the notable time periods where the threat level was particularly high and they were forced to do just that.<\/strong><\/p>\n The growing popularity of WordPress as a CMS as it approached its five-year anniversary saw the level of attacks\u00a0increase considerably.<\/p>\n Hackers naturally focused on low-hanging fruit and a wave of exploits targeting SEO<\/a> and Adsense blogs came to light throughout 2007 and 2008<\/a>:<\/p>\n To make matters worse, WordPress’ own servers were compromised during this time, leading to the inclusion of a potential backdoor in WordPress 2.1.1<\/a> in 2007.<\/p>\n The issue was quickly addressed in\u00a0security release 2.1.2<\/a>,\u00a0but did little for the software’s\u00a0early reputation.<\/p>\n By mid-2007, the subject of security was increasingly a major focus of concern among community leaders<\/a>,\u00a0with one of the major long-term effects of this renewed focus being the eventual introduction\u00a0of\u00a0the one-click update in WordPress 2.7 (Coltrane)<\/a>.<\/p>\n The previously manual update process had long been flagged as a major stumbling block in getting users to update regularly, a situation that massively increased the number of live sites vulnerable to attack.<\/p>\n 2009 saw a further flurry of activity from July through to October with a series of security patches being released, covering WordPress versions 2.8.1 up to 2.8.6.<\/p>\n The situation kicked off with the discovery by CoreLabs of a serious vulnerability<\/a> affecting versions 2.8 and under. This was resolved with the release of 2.8.1, but it also marked the beginning of a run of releases addressing either overall hardening of WordPress or fixing further acute vulnerabilities.<\/p>\n This sequence came to a close with the Thanksgiving 2009 release of 2.8.6<\/a>.<\/p>\n Though the long-term effect of tightening up overall WordPress security was incredibly positive, many in the community will remember it as a dark time for the platform, when it seemed like an upgrade was required every other week.<\/p>\n There’s an excellent write-up of this time period over by Jason Cosper at Torque<\/a>,\u00a0putting the whole series of incidents into perspective and pointing out the change point for the platform that it represented.<\/p>\n The year 2011 was chiefly notable for the large scale arrival of the TimThumb vulnerability,\u00a0whereby the popular\u00a0image-resizing utility<\/a> could be used to load and execute arbitrary PHP code on a server.<\/p>\n Though the original issue was quickly patched and significant additional work was done on the utility in subsequent years, TimThumb remained a target<\/a> for ongoing attacks all the way up into 2014.<\/p>\n It serves as an excellent reminder of the persistence of hackers in targeting a route once a\u00a0vulnerability has been established.<\/p>\n 2013 saw further security feathers being ruffled with the release of a number of reports highlighting the ongoing vulnerabilities of high-profile WordPress sites in the wild.<\/p>\n Security firm Enable Security\u00a0profiled WordPress sites listed among the top one million Alexa websites and came to the conclusion that out of 42,106 WordPress sites found, 73.2% were vulnerable\u00a0to attack as a result of running outdated versions of the software.<\/p>\n Though there was some quibbling<\/a> about the level of threat actually present, the figures did act as a further reminder that regular updating remains a concern even on the biggest of WordPress installs.<\/p>\n A separate report on plugins<\/a> from Israeli firm Checkmarx found that seven out of the ten most popular e-commerce\u00a0plugins also contained potential vulnerabilities.<\/p>\n And so we arrive finally at 2015, another year of note.<\/p>\n This has largely been due to the recent discovery of an XSS vulnerability<\/a> affecting a number of the most widely installed plugins in the WordPress ecosystem.<\/p>\n The list of plugins affected was\u00a0a veritable who’s who of the WordPress great and good, including Yoast<\/a>, Gravity Forms<\/a>, and even Jetpack<\/a>.<\/p>\n As per usual, the core vulnerability was swiftly addressed in version 4.1.2<\/a> but it just goes to show that, even in 2015 with over a decade of active monitoring and hardening of the platform, major security issues can still break out at a moment’s notice.<\/p>\n In addition to keeping updated, there is of course a much wider set of measures you can take with WordPress to make your site as secure as possible.<\/p>\n We’ve tackled the subject of security on several occasions here at WPMU DEV over the years and provided comprehensive guides to help you keep those digital doors firmly locked.<\/p>\n Review these three articles in particular for full information on steps to take to protect your site:<\/strong><\/p>\n The subject of online security is obviously a vast one so we’ll limit ourselves to two solid starting points for further exploration:<\/p>\n As you can see from both the historical episodes we’ve highlighted here and the current series of exploits making waves in 2015, security is a subject that WordPress owners need to constantly keep on top of.<\/p>\n The platform itself has taken significant steps over the years to put together a world-class security team, and its reaction to individual exploits has very rarely been less than immediate.<\/p>\n Regular updates and attention to the sort of security resources we mentioned towards the end of the article remain the best way to keep things safe if you are managing your own site.<\/p>\n","protected":false},"excerpt":{"rendered":" WordPress has fallen victim to a number of serious security exploits over the years but has also established a hard-won reputation for responding swiftly and decisively to attacks. We examine the biggest exploits and how you can tighten security on your own site.<\/p>\n","protected":false},"author":37930,"featured_media":142496,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"blog_reading_time":"","wds_primary_category":0,"wds_primary_tutorials_categories":0,"footnotes":""},"categories":[557,10468],"tags":[10810],"tutorials_categories":[],"class_list":["post-142224","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-development","category-reviews-opinion","tag-wordpress-security"],"_links":{"self":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts\/142224","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/users\/37930"}],"replies":[{"embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/comments?post=142224"}],"version-history":[{"count":41,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts\/142224\/revisions"}],"predecessor-version":[{"id":222831,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts\/142224\/revisions\/222831"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/media\/142496"}],"wp:attachment":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/media?parent=142224"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/categories?post=142224"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/tags?post=142224"},{"taxonomy":"tutorials_categories","embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/tutorials_categories?post=142224"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
Some Background on WordPress Security<\/h2>\n
The WordPress Security Whitepaper<\/h2>\n
\n
![\"The](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2015\/06\/wp-security-whitepaper.png\")
<\/a>The WordPress Security Archive<\/h2>\n
![\"WordPress](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2015\/06\/wp-security-archives.png\")
<\/a>Staying up to Date<\/h2>\n
WordPress Security Vulnerabilities over the Years<\/h2>\n
2007\/2008 \u2013 Early Attacks<\/h3>\n
![\"TechCrunch](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2015\/06\/wordpress-security-issues-headline.png\")
2009 \u2013 A Renewed Emphasis on Security<\/h3>\n
2011 \u2013\u00a0Issues with Images<\/h3>\n
![\"Binary](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2015\/06\/binary-moon-tim-thumb-article.png\")
2013 \u2013 Major Sites at Risk<\/h3>\n
2015 \u2013 Major Plugins Compromised<\/h3>\n
![\"Jetpack\"](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2015\/06\/jetpack2.png\")
Learn More on WPMU DEV<\/h2>\n
\n
Resources Further Afield<\/h2>\n
\n
Conclusion<\/h2>\n