WordPress, as prevalent as it is, running a massive 43% of the websites on the internet, will always have baddies poking a prodding for ways to put their malicious code/redirects/links/spam/emailing on our lovely blogging sites. We see this in our server logs daily and hundreds, if not thousands, of WordPress plugin vulnerabilities each year. Still, the ones that always strike and stand out to me are the supposed WordPress security plugins with gaping security flaws.
This month we are looking at the popular HTTP Headers plugin. Now this plugin is supposed to increase your WordPress security by allowing WordPress site administrators to set their HTTP headers which help secure your website/application. Available to set in the plugin interface, but not limited to, are the following:
- Access-Control-Allow-Origin
- Access-Control-Allow-Credentials
- Access-Control-Max-Age
- Access-Control-Allow-Methods
- Access-Control-Allow-Headers
- Access-Control-Expose-Headers
- Age
- Content-Security-Policy
- Content-Security-Policy-Report-Only
- Cache-Control
- Content-Encoding
- Content-Type
- Cross-Origin-Embedder-Policy
- Cross-Origin-Opener-Policy
- Cross-Origin-Resource-Policy
- Strict-Transport-Security
Keep updated with the latest from Pipe Ten by subscribing below.
These headers protect from some of the most common attacks and hacks on websites, mainly the Content-Security-Policy, which ironically would help protect against one of the XSS (Cross-site scripting) attacks to which this plugin was vulnerable. Before the most recent update, there was a vast hole allowing arbitrary data to be written to arbitrary files, leading to an RCE (Remote Code Execution) vulnerability and essentially allowing an attacker to upload a remote shell script and have complete control over the site.
With over 40,000 active installations, it’s not the most extensive vulnerable plugin we’ve seen in the last month. However, it is a security plugin with severe security issues in the previous five releases. It does make you wonder about the benefit of using this plugin over a simple .htaccess file or an Nginx server block.
I’m happy to say the developer seems to be pretty quick to act on the issues, which are now fixed in version 1.18.11.
Author: Jamie Moynahan
Jamie is the Support Manager at Pipe Ten, being an integral part of the team for well over 10 years. Jamie is a seasoned expert with the intricacies in the fast changing world of website application hosting. His expansive knowledge of and experience of hosting website applications is instrumental to the entire customer support experience which customers members have come to rely on. Jamie has written and published hundreds of articles about hosting and managing website applications.