A great many CMS websites have been meddled with and exploited as a result of the misuse of several query functions – in specific, the add_query_arg() and remove_query_arg() functions. These two are regularly used by web designers and developers to alter and add query strings to URLs within the Content Management System. Unfortunately, though, despite their enormous utility, their common misapplication has led to more harm than good due to vulnerability to cross site scripting.
Cross Site Scripting, or XSS for short, is a security attack that takes advantage of dynamically generated Web pages. In a Cross Site Scripting attack, a web application is sent with a script that activates when it is read by an unsuspecting user’s browser or by an application that hasn’t protected itself against cross-site scripting.
Documentation for popular blogging tool and Content Management System platforms such as WordPress supplied very scanty information on how to best use the above-mentioned query functions. As a result, developers have been using them in an insecure way, leaving the door open for malicious invaders. In particular, a bevy of plugins have been affected by the xss attacks. The following is a list of them:
- Jetpack
- WordPress SEO
- Google Analytics by Yoast
- All In one SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- UpdraftPlus
- WP-E-Commerce
- WPTouch
- Download Monitor
- Related Posts for WordPress
- My Calendar
- P3 Profiler
- Give
- Multiple iThemes products including Builder and Exchange
- Broken-Link-Checker
- Ninja Forms
Most likely, there are several more that we have failed to list. Just keep in mind that the above list is illustrative, and by no means complete. If you have a WordPress site, we highly recommend that you take the necessary time to update each and every plugin.
Recommended Precautionary Measures
Below we have supplied a list of precautionary measures that can help you reduce your overall threat risk – keeping your website up and running and functioning optimally.
- 1. Patch. Keep your sites updated.
- 2. Restricted. Restrictive access control.
- 3. Monitor. Monitor your logs. Take a minute or two to see if there is any suspicious activity going on. Your logs can give you a great insight as to whether your site is being meddled with.
- 4. Reduce your scope. Plugins are great. They can help you achieve a particular action or task in less time. However, plugins are quite vulnerable to attacks, and for that reason, we recommend that you keep the number of plugins on your website to a minimum. Winnow out your plugins to only the essentials.
- 5. Detect. The common cliche, prevention is preferable to treatment rings true here. By prevention here, we are referring to simply updating plugins and making sure no software is out of date. You can use Sitecheck for this.
- 6. Defense in Depth. If you have an Intrusion Prevention System or Web Application Firewall, these can help prevent the most common forms of XSS exploits.
You can use these principles to stay ahead of the game. An hour of preparation can obviate ten or more hours of serious headache. If you would like some assistance in taking these precautionary measures to ensure that your website has not and will not be hacked, contact Networtech Consulting Group, the Houston’s favorite web design agency.