Last Updated August 2018

There’s good news for hackers in the WordPress world these days. WordPress site owners don’t know how to properly manage their site once it’s up and running. A huge proportion of them don’t even keep their sites up to date.

This is great news for hackers who target low-hanging fruit. WordPress is so popular that security problems, when found, are widely published online. Some popular plugins, installed on millions of websites, have had widely-known problems in the past: here are the three most hacked dangerous WordPress plugins.

Hacking is Mainstream

Online hacking is increasingly becoming a mainstream media topic. This is not surprising; hacking presents a very real danger to your WordPress website.

According to the Sucuri Website Hacked Trend Report 2016, in March 2015 Google listed 17 million compromised websites. In 2016 that figure was at 50 million.

(UPDATE 2018: You can get the more recent 2017 Sucuri report here.

UPDATE 2020: Sucuri’s 2019 report)

And, according to the HackerOne report 2018, hackers said their favourite types of product or platform to hack is … websites.

Google’s Safe Browsing page holds some interesting data if you care to delve into it. In 2016 they were detecting around 40,000 infected websites every week.

What is worrying about this trend is that

webmasters’ response rate in dealing with these infections has actually become much slower and
reinfection rates have become much higher

This points to two things:

Webmasters are becoming increasingly more overwhelmed with the volume of work they must deal with
Many webmasters have an inadequate amount of knowledge to do so effectively

I’ve mentioned the main reason for this trend before but here it is (paraphrased) from the Sucuri report:

WordPress’s ease of implementation introduces a large influx of unskilled webmasters responsible for the administration of websites.

Going on …

“75% of [infected websites] were on the WordPress platform and over 50% of those websites were out of date. Many infected websites are attacked through old security vulnerabilities in just three WordPress plugins that have not been updated.”

All great news for the hacker community. All very unwelcome news for the millions of non-technical WordPress website owners.

In this post I’ll run through the three most hacked WordPress plugins, effectively making them the most dangerous WordPress plugins. And of course, I’d be remiss if I didn’t also show you how to make them much safer against hacking.PLUGINS EXPLAINED BRIEFLY

What’s a plugin?

WordPress Plugins allow the easy modification, customization and enhancement of a WordPress website. Instead of changing the core program code of WordPress, you can add functionality with WordPress Plugins.

Here’s a basic definition:

A WordPress Plugin is a program or a set of one or more functions written in the PHP scripting language. It adds a specific set of features or services to the WordPress site it’s installed on

Source: the WordPress codex.

Programmers around the world write these plugins. They are freely available for anyone with a WordPress website to install and use on their own site.

Most of these programmers do a good job following the WordPress programming guidelines. They regularly update their plugins to add features and to fix problems.

But it’s not their job to secure your WordPress website. Ultimately, the only person responsible for that is you. Keeping the plugins on a WordPress website up to date is the job of the owner of that website!

Again, there’s good news here for hackers. Almost 40% of website owners do not apply these updates. This is how a security problem in a plugin can be active years after the programmer repaired it.

For example, remember the Panama Papers, the largest data breach in history? That attack was successful in part because of a very outdated version of one of the plugins on our list below, RevSlider.

The Three Most Dangerous WordPress Plugins

These dangerous WordPress plugins are the point of entry into a large proportion of hacked WordPress websites.

NOTE
These plugins are not inherently dangerous. The programmers generally do a very good job of keeping the plugins updated and secure. The problem stems from their widespread use and the failure of website owners to keep them updated.

(Another example of the impact of failing to update is the WordPress hacking spree of February 2017. More recently, a malware campaign used problems in an outdated version of WordPress.)

1. RevSlider

Slider Revolution is the #1 Selling Responsive WordPress Slider Plugin. It’s installed on over 4 million WordPress sites.

most dangerous wordpress plugin revslider

RevSlider has quite a history of vulnerabilities in WordPress:

A report from Sucuri
A vulnerability explained by ThemePunch

The RevSlider guys seem to take security seriously; their code it regularly reviewed by security experts.

But there’s not much they can do to force 4 million people to update their software.

2. Gravity Forms

Gravity Forms for WordPress is a full featured contact form plugin. It features a drag and drop interface, advanced notifications, lead capture, conditional logic and more.

Again, the developers seem to do a reasonable job of helping discover security problems.
https://www.gravityhelp.com/documentation/article/security/
https://www.gravityhelp.com/documentation/article/what-to-do-if-you-suspect-a-security-issue/

Bet yet again, Gravity Forms has a history of security problems in WordPress:
https://www.wordfence.com/blog/2016/10/revslider-mailpoet-gravityforms-exploits-bypass-cloudflare-waf/
https://blog.sucuri.net/2015/02/malware-cleanup-to-arbitrary-file-upload-in-gravity-forms.html

3. TimThumb

TimThumb was a simple PHP script for resizing images on a WordPress website.

The problem here was that third party theme creators often embedded it in their themes. Most WordPress users aren’t even aware they are using it. Any theme that has been customized incorrectly (ie not using child themes) can not simply be updated without losing those changes. So users are reluctant to update the code.

The creator of TimThumb no longer maintains it and clearly feels a sense of guilt over all of these problems his script has had.

Despite this, many sites and themes are still using it.

History:
https://ma.tt/2011/08/the-timthumb-saga/
https://blog.sucuri.net/2011/08/timthumb-php-security-vulnerability-just-the-tip-of-the-iceberg.html
https://wptavern.com/wordpress-security-alert-new-zero-day-vulnerability-discovered-in-timthumb-script
https://woocommerce.com/2014/12/goodbye-timthumb-thanks-memories/

Want our complete WordPress Security Checklist?

Click to Download.

Interestingly, two of these plugins are premium plugins, i.e. plugins that must be paid for. Perhaps their prevalence in hack attacks is indicative of their widespread use? Or perhaps it’s indicative of a poor update notification process? I don’t know as I don’t use any of the above plugins but it’s something the developers could address.

Here’s The Funny Thing …

The problems hackers are exploiting in these plugins? They’ve all been fixed!

But that doesn’t matter because people aren’t updating their software!

Tim Thumb has had a fix for 6 years! Yet lots of WordPress users have not updated their plugins in that time!

Sucuri sums up the whole sordid mess beautifully (paraphrased):

The leading cause of compromises in today’s websites is out of date software. Software vulnerabilities in this software are exploited by hackers. Specifically in its extensible components, i.e. plugins.

The idea of patch and vulnerability management are not new concepts in the world of security or technology. But in the world of everyday business operations, for non-technical staff, it is.

As the technical aptitude required to have a website drops, the inverse will be seen in attacks. (Attacks will increase as they are dependent on its weakest link, the webmaster).

There is a sharp drop off in the knowledge required to have a website. This is breeding the wrong mindset with website owners and service providers. This leads to a rude awakening for website owners. Established entities, like Google, take a hard stance against malicious websites.

Wrapping It Up

If you’ve ever read anything else on this site you’ll know the simple solution to this entire problem. I preach it all the time.

Update your website regularly!

As I mentioned above, these plugins are not dangerous in themselves. There’s no reason you shouldn’t use them. All you have to do is to make sure you keep them up to date.

Simple.

What Did I Miss?

Do you use one of these dangerous and vulnerable WordPress plugins on your WordPress site? Have they caused problems?

Did I miss any major vulnerable or dangerous WordPress plugins? Let me know in the comments and if you found this article useful please share it freely.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

​Hacking is Mainstream​