SECURITY CONCEPTS: HALF OF ALL WORDPRESS PLUGIN VULNERABILITIES ARE XSS AND SECURING FTP
We had a lot of fun creating our WordPress Security Learning Center. One of the coolest experiences was being able to share with WordPress site administrators how attackers actually gain entry to their sites.
Our Introduction to Secure WordPress Sites is the starting point we recommend for all beginner or intermediate level WordPress administrators. In our introduction, we include a demonstration video in the section explaining why it’s important to use sFTP to manage your site and never use FTP. I’m the guy narrating the video and I demonstrate how to use Metasploit to grab FTP passwords from the network when someone uses insecure FTP. That was really fun!
We also discovered some amazing things while creating the Learning Center. In doing analysis on WordPress plugin vulnerabilities to determine what we should be teaching developers, we unearthed a startling statistic that really surprised me and the rest of the team. 47% of WordPress vulnerabilities are Cross Site Scripting (also called XSS) vulnerabilities.
What this means is that if we can successfully teach WordPress developers to avoid writing XSS vulnerabilities, we can prevent almost 50% of the vulnerabilities that appear in WordPress plugins.
This is the distribution we found when we analyzed every plugin vulnerability reported for the past 14 months:
Once we discovered this, it became clear that it was worth spending a significant amount of time explaining how XSS vulnerabilities are created, how they are exploited and how to avoid writing them.
Our PHP Vulnerability Types and How They Originate article gives you a concise introduction to XSS vulnerabilities which is very accessible for beginner to intermediate WordPress site admins. It doesn’t include any code and uses plain english to explain Cross Site Scripting.
In our Introduction to Writing Secure PHP Code we provide a code example of an XSS vulnerability and how to fix it. What I particularly like about the intro to secure code article is that it talks about XSS vulnerabilities in the broader context of sanitizing, validating and escaping user input and application output. Rather than focusing on a quick atomic fix, we give you broader and more comprehensive view of the problem you’re solving.
In “How XSS Vulnerabilities are Created and How to Avoid Them” we go into detail on Cross Site Scripting vulnerabilities and explain how to avoid them in your code. We include an explanation of the difference between ‘stored’ vs ‘reflected’ XSS which most people don’t understand.
You’ll notice that the content in the WordPress Security Learning Center is vendor neutral. We actively avoided mentioning Wordfence anywhere unless it became very awkward not to. The reason we did this was to create a resource that could focus on the problem of securing the WordPress community and that would help developers write secure themes and plugins for WordPress.