Wordpress is the world's most popular CMS, and the most targeted.

4/30/2020

Over the years we’ve had a few panicky calls from a number of businesses in deep distress as their Wordpress website has been hacked, the latest of which was a global technology company with revenues of over £50M, proving it can happen to anyone.

Unfortunately any website can be targeted by hackers, but Wordpress is the most common target because it’s the world’s most popular CMS. It powers over 31% of all websites meaning hundreds of millions of websites across the globe are built on Wordpress. This popularity means that if hackers find a way in to one less secure Wordpress site, it means they can probably access thousands more and exploit them. Hackers have different kinds of motives, some are just bored teenagers in bedrooms across the world who are just amusing themselves by exploiting less secure sites, but some hackers are serious cybercriminals with much more malicious intent like distributing malware, using a site to attack other websites, or spamming the internet. Hacking can have serious ramifications for a business way above reputational damage.

Wordpress is a good solution when implemented properly, as the millions of solid sites built with it bear out. It can be very cost effective too as there are hundreds of thousands of developers, both individuals and agencies, who use it to build sites. One of these reasons why it's often cheap, is that many sites are built with off-the-shelf themes which can be bought for just a few dollars and are basically a built website that you can adapt or just add content to. Most look great on all devices as they’re already mobile responsive, and because they’re pretty much built, they can be very quick and therefore very cheap to create. So, if a Wordpress theme meets your needs, and the agency or developer passes on the cost savings - bear in mind that some might try and claim they’ve built it ground up – then happy days.

Well hopefully.

Researchers estimate that there are hundreds of thousands of Wordpress sites that are currently at risk of being exploited because of vulnerabilities within the themes or plugins used, some just need updating, some are inherent. According to a new report from the cybersecurity firm Sucuri, hackers began actively exploiting a bug in the OneTone theme, used by over 200,000 sites, back in April 2020.

“Hackers are using the XSS bug to insert malicious code inside of OneTone theme's settings. As the theme checks these settings before loading any page, the malicious code is executed on every page of a vulnerable site. The code itself serves two functions as it redirects some of a vulnerable site's users to a traffic distribution system … while a second function enables the creation of backdoor. The malicious code even has the ability to recognize site admins as it looks for the presence of the WordPress admin toolbar at the top of a page. Once a user with admin-level privileges is detected, the code then adds an admin account to a site's WordPress dashboard. These two backdoors grant an attacker access to the site even if their malicious XSS code is removed from OneTone's settings or the vulnerability ends up being patched.” Luke Leak, Malware Researcher

The creators of the OneTone theme, Magee WP, last issued a patch back in 2018 so it’s doubtful a fix for this vulnerability will be coming any time soon. Users still running the theme are probably best advised to disable it to avoid falling victim to this latest hacking campaign. Unfortunately, again largely due to Wordpress’s popularity, this kind of situation is not uncommon; another recent example is an attack on the ThemeGrill Demo Importer, Profile Builder and Duplicator plugins used in around 800,000 sites. Sometimes security flaws are actually built into a theme by scurrilous developers who come back later to exploit them, but if you buy a $20 theme from some dubious Russian or Chinese marketplace I suppose you might expect trouble.

As well as security risks, the other issue for me, as a designer, is that off-the-shelf WordPress themes are precisely that: 'off-the-shelf', they're not built for you or your target audience. Essentially they’re a ‘cookie cutter’ solution, and they are designed to appeal to as large an customer base as possible because that’s how WordPress theme authors make their money; selling and shipping as much product as possible. Therefore they need to appeal to the widest target audience as possible resulting in very generic Ui designs. And because they’re not built for you specifically, you’re always having to make compromises both on functionality and user experience as they don’t take into account your specific needs or those of the users.

Furthermore, because these off-the-shelf themes aren’t built for specific needs, and are trying to appeal to a wide range of customers, they provide a lot of customisation options so the codebase is always bloated with redundant code that's not needed. For example, if a WordPress theme has “10 header options” and “10 footer options” – that’s 18 options that won’t be getting used. However, the code for these 18 redundant options is still sitting there behind the scenes, both slowing the website down and adding a level of complexity that your website doesn’t need. This is not good for site performance or search engine optimisation.

Finally, as with all things generic, off-the-shelf, widely available and - ultimately - cheap, lots of people will buy it. So like the two wedding reception guests who bump into each other in identical outfits, it can be a bit embarrassing when you think your site is unique to your business only to discover tens or even hundreds of thousands of other sites using the exact same theme. As with all marketing and corporate communications, a website is a reflection of your brand which is the embodiment of the company’s personality and its values and this is unique to your business. Or at least it should be.

 

Author

Will Bentley