History of Vulnerabilities in WORDPRESS
The canvas fingerprinting warning is typically given by Tor Browser for WordPress-based websites. As of WordPress 5.2, the minimum PHP version requirement is PHP 5.6, which was released on August 28, 2014, and which has been unsupported by the PHP Group and not received any security patches since December 31, 2018. Thus, WordPress recommends using PHP version 7.3 or greater. In the absence of specific alterations to their default formatting code, WordPress-based websites use the canvas element to detect whether the browser is able to correctly render emoji. Because Tor Browser does not currently discriminate between this legitimate use of the Canvas API and an effort to perform canvas fingerprinting, it warns that the website is attempting to 'extract HTML5 canvas image data. Ongoing efforts seek workarounds to reassure privacy advocates while retaining the ability to check for proper emoji rendering capability.
Vulnerabilities Many security issues have been uncovered in the software, particularly in 2007, 2008, and 2015. According to Secunia, WordPress in April 2009 had seven unpatched security advisories (out of 32 total), with a maximum rating of "Less Critical". Secunia maintains an up-to-date list of WordPress vulnerabilities.
In January 2007, many high-profile search engine optimization (SEO) blogs, as well as many low-profile commercial blogs featuring AdSense, were targeted and attacked with a WordPress exploit.
A separate vulnerability on one of the project site's web servers allowed an attacker to introduce exploitable code in the form of a back door to some downloads of WordPress 2.1.1. The 2.1.2 release addressed this issue; an advisory released at the time advised all users to upgrade immediately.
In May 2007, a study revealed that 98% of WordPress blogs being run were exploitable because they were running outdated and unsupported versions of the software.
In part to mitigate this problem, WordPress made updating the software a much easier, "one click" automated process in version 2.7 (released in December 2008). However, the filesystem security settings required to enable the update process can be an additional risk.
In a June 2007 interview, Stefan Esser, the founder of the PHP Security Response Team, spoke critically of WordPress' security track record, citing problems with the application's architecture that made it unnecessarily difficult to write code that is secure from SQL injection vulnerabilities, as well as some other problems.
In June 2013, it was found that some of the 50 most downloaded WordPress plugins were vulnerable to common Web attacks such as SQL injection and XSS. A separate inspection of the top-10 e-commerce plugins showed that seven of them were vulnerable.
In an effort to promote better security, and to streamline the update experience overall, automatic background updates were introduced in WordPress 3.7.
Individual installations of WordPress can be protected with security plugins that prevent user enumeration, hide resources and thwart probes.
Users can also protect their WordPress installations by taking steps such as keeping all WordPress installations, themes, and plugins updated, using only trusted themes and plugins, and editing the site's .htaccess configuration file if supported by the webserver to prevent many types of SQL injection attacks and block unauthorized access to sensitive files.
It is especially important to keep WordPress plugins updated because would-be hackers can easily list all the plugins a site uses, and then run scans searching for any vulnerabilities against those plugins.
If vulnerabilities are found, they may be exploited to allow hackers to, for example, upload their own files (such as a web shell) that collect sensitive information.
Developers can also use tools to analyze potential vulnerabilities, including WPScan, WordPress Auditor and WordPress Sploit Framework developed by 0pc0deFR. These types of tools research known vulnerabilities, such as a CSRF, LFI, RFI, XSS, SQL injection and user enumeration.
However, not all vulnerabilities can be detected by tools, so it is advisable to check the code of plugins, themes and other add-ins from other developers. In March 2015, it was reported that the Yoast SEO plugin was vulnerable to SQL injection, allowing attackers to potentially execute arbitrary SQL commands.
The issue was fixed in version 1.7.4 of the plugin. In January 2017, security auditors at Sucuri identified a vulnerability in the WordPress REST API that would allow any unauthenticated user to modify any post or page within a site running WordPress 4.7 or greater.
The auditors quietly notified WordPress developers, and within six days WordPress released a high-priority patch to version 4.7.2, which addressed the problem.