Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Lack of WordPress User Education Affecting Security Posture
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
3/15/2015 | 3:43:27 AM
Exploits against Wordpress-a quick look
I like the functionality of the wordpress software and use their website for a security blog.  However, I would be remiss in my duties as a security professional if I failed to mention my high concern for the quantity of exploits I see in history for this product.

I went to the Exploit Db, a site which has proven exploits available for penetration testing.  I see a few dozen pages worth of exploits between what I would say is its inception, and the vast majority of which are confirmed.   By most standards that's a large number of proven exploits.  Granted, a properly patched system is not susceptible to most, if not all of those.  Checks for patches would have to be done a very regular basis, though.

If I was running a Wordpress site, I would be huge on keeping that system patched (automatic updates if possible).  I also remember reading a couple months back that a lot of the issues are with plugins.  Me, I'd stay away from them.  A quick scan of the Exploit DB list shows many are plugin-related exploits.

Security Focus is another good site.  That'll should vulnerability information with sample programs and if patches are available.  Very neat stuff.

Stay safe! Andy
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
3/12/2015 | 4:20:13 PM
Re: Treat web services like any system in the enterprise
Totally agree with you @aws0513,.While there are undoubtedly some rogue enterprise-class departments that set up their own Wordpress blogs and such, the majority of users are most likely small  businesses or individuals who have little experience about defending against security threats.Wordpress and other similar platforms should be doing more.Whether it's training, service packages or baking more protections into the product, or all of the above... I'm not sure.
User Rank: Ninja
3/12/2015 | 1:15:40 PM
Re: Treat web services like any system in the enterprise
You are correct Marilyn. 

What services like WordPress provide is an easy to implement solution platform... with just enough rope to hang a neophite with.

It is my belief the biggest cause of issues here would be small businesses that may not have the budget or resources to securely manage web services.  Many of them may be startups where only a handful of people are involved.  Small businesses see services like WordPress as an efficient solution that doesn't require an large amount of support overhead.

One has to wonder if the service providers should be providing guidance and training to customers as part of the service package.  Some service providers do have online training, but how much that training may cover in terms of security practices may vary greatly.

Wordpress just happens to be the big guy on the block.  This translates into more customers that can cause more issues with the service.  It is my opinion that other similar services may have similar security issues but these have not bubbled up because there are fewer customers.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
3/12/2015 | 11:27:26 AM
Re: Treat web services like any system in the enterprise
aws0513, your points are well-taken. But given that 44 percent of respondents to the survey don't have a website or IT manager, & 3/4 of them don't have any training in WordPress that enterprise users aren't the real problem.Or am i missiing something?

User Rank: Ninja
3/11/2015 | 11:09:01 AM
Treat web services like any system in the enterprise
If your organization is using a web service of any kind, it should be handled as if it were an in house solution.
  • What purpose will the web service fullfill?
  • Will regulatory data be posted/stored on the service site?
  • If regulatory data is involved, will the service vendor attest to the location of the service systems and the protections provided to those environments (physical and logical)? Example: If the regulatory data falls under HIPAA, the systems cannot exist outside CONUS?
  • Who will "own" the service on behalf of the organization?
  • Who will maintain the service on behalf of the owner?  Are those people properly trained on how to maintain the environment in a responsible and secure manner?
  • Who will be the stewards of the service in terms of utilization standards and oversight?
  • How will access control to the environment be managed?
  • Is there any separation of duties concerns and/or capabilities with the service to help mitigate internal security risks?
  • Who will manage access control?  Are those people properly trained on the access control processes necessary to mitigate risks?
  • What contingency plans are needed to deal with loss of the service?
  • What documentation processes are necessary?  Who will be responsible for the documentation?
  • What auditing capabilities does the service provide?
  • What liability would the organization have if the service is compromised in any way?  What capabilities will the organization have to conduct investigation of incidents?
  • If there is a publicly accessible portion of the service, how can public relations functions in the organization manage public release activities in the service?
  • Has management accepted any risks identified with the organizations use of the services?

This is just a quick off the cuff list.
I am sure there are many other questions that could be developed in this effort. 
User Rank: Ninja
3/11/2015 | 6:53:25 AM
IT guy
I work with a few Wordpress sites and thankfully there's always someone around to ask if there's a potential problem. I'm glad I'm not managing them though as security headaches are not my cup of tea at all. 

Still, I make sure to practice good security for my end of things and have a monster of a difficult password for each of them. 
User Rank: Apprentice
3/11/2015 | 5:58:06 AM
WordPress itself can be vulnerable too
WordPress also has its vulnerabilities from time to time. In last November, a critical cross-site scripting vulnerability affected WordPress sites, which could enable anonymous users to compromise a site. 

This article demonstrates a practical exploit of this vulnerability. Be sure you update to 4.0.1, 3.9.3, 3.8.5, or 3.7.5 to keep everything secure.

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Practical Network Security Approaches for a Multicloud, Hybrid IT World
The report covers areas enterprises should focus on for their multicloud/hybrid cloud security strategy: -increase visibility over the environment -learning cloud-specific skills -relying on established security frameworks -re-architecting the network
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-05-09
RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.
PUBLISHED: 2022-05-09
In Solana rBPF versions 0.2.26 and 0.2.27 are affected by Incorrect Calculation which is caused by improper implementation of sdiv instruction. This can lead to the wrong execution path, resulting in huge loss in specific cases. For example, the result of a sdiv instruction may decide whether to tra...
PUBLISHED: 2022-05-08
ImageMagick 7.1.0-27 is vulnerable to Buffer Overflow.
PUBLISHED: 2022-05-08
marcador package in PyPI 0.1 through 0.13 included a code-execution backdoor.
PUBLISHED: 2022-05-08
NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.