There is welcome news for web developers this week as WordPress now offers automatic updates to the uber-popular web development platform. Starting out as a blogging tool, WordPress has morphed into a full website development ecosystem. Like many, this author has embraced WordPress due to its simplicity, flexibility, and easy search engine optimization.
The importance of the addition of automatic updates cannot be understated. Not unlike computer operating systems such as Windows, Linux, and Mac, all web platforms contain coding flaws and shortcomings. Like the operating system makers, WordPress has been diligent to provide security updates on a regular basis. Getting web developers to install them, however, has proven to be a more difficult proposition.
How does a hacker make use of an unpatched website, you ask? Here’s how it works. As flaws are found, the volunteers of the WordPress group scurry to write a patch. Hackers are good at examining the newly-released patch to determine the flaws that were corrected. This serves as a “recipe” of sorts. An exploit can be developed and spread throughout the web using previously infected “bot” computers. The hacker then publishes a bogus web page on the now-infected website containing code that seeks to infect the computers that visit the infected page. The next step is to attract visitors. Hackers will craft convincing emails that are bulk-mailed to millions of recipients worldwide. I’m sure you’ve seen the messages – bogus delivery failure notifications, etc. The links in the message direct the user to the infected website and the arriving computers are probed for vulnerabilities (once again via unpatched software on the visitor’s PC). This usually involves web browser plugins such as Java, Adobe products, or even the operating system itself.
The process relies on an infected ecosystem. Unpatched web servers, unpatched computers, compromised email accounts, and gullible users. Thom Infotech has made computer and server patch management a priority for our customers. We also focus on hosted email security systems to scrub incoming email of the unwanted emails. Additionally, we focus on providing quality antivirus software that can be monitored around the clock. We also provide unified threat management firewalls to further guard against malicious email and infected websites. No solution is perfect, but our solution stack serves to reduce the threat surface to a bare minimum. Still, unpatched computers and websites make for a very challenging threat landscape. The addition of automatic updates in version 3.7 of the WordPress platform is a welcome development in the war against malware.