Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Lack of WordPress User Education Affecting Security Posture
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
3/15/2015 | 3:43:27 AM
Exploits against Wordpress-a quick look
I like the functionality of the wordpress software and use their website for a security blog.  However, I would be remiss in my duties as a security professional if I failed to mention my high concern for the quantity of exploits I see in history for this product.

I went to the Exploit Db, a site which has proven exploits available for penetration testing.  I see a few dozen pages worth of exploits between what I would say is its inception, and the vast majority of which are confirmed.   By most standards that's a large number of proven exploits.  Granted, a properly patched system is not susceptible to most, if not all of those.  Checks for patches would have to be done a very regular basis, though.

If I was running a Wordpress site, I would be huge on keeping that system patched (automatic updates if possible).  I also remember reading a couple months back that a lot of the issues are with plugins.  Me, I'd stay away from them.  A quick scan of the Exploit DB list shows many are plugin-related exploits.

Security Focus is another good site.  That'll should vulnerability information with sample programs and if patches are available.  Very neat stuff.

Stay safe! Andy
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
3/12/2015 | 4:20:13 PM
Re: Treat web services like any system in the enterprise
Totally agree with you @aws0513,.While there are undoubtedly some rogue enterprise-class departments that set up their own Wordpress blogs and such, the majority of users are most likely small  businesses or individuals who have little experience about defending against security threats.Wordpress and other similar platforms should be doing more.Whether it's training, service packages or baking more protections into the product, or all of the above... I'm not sure.
User Rank: Ninja
3/12/2015 | 1:15:40 PM
Re: Treat web services like any system in the enterprise
You are correct Marilyn. 

What services like WordPress provide is an easy to implement solution platform... with just enough rope to hang a neophite with.

It is my belief the biggest cause of issues here would be small businesses that may not have the budget or resources to securely manage web services.  Many of them may be startups where only a handful of people are involved.  Small businesses see services like WordPress as an efficient solution that doesn't require an large amount of support overhead.

One has to wonder if the service providers should be providing guidance and training to customers as part of the service package.  Some service providers do have online training, but how much that training may cover in terms of security practices may vary greatly.

Wordpress just happens to be the big guy on the block.  This translates into more customers that can cause more issues with the service.  It is my opinion that other similar services may have similar security issues but these have not bubbled up because there are fewer customers.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
3/12/2015 | 11:27:26 AM
Re: Treat web services like any system in the enterprise
aws0513, your points are well-taken. But given that 44 percent of respondents to the survey don't have a website or IT manager, & 3/4 of them don't have any training in WordPress that enterprise users aren't the real problem.Or am i missiing something?

User Rank: Ninja
3/11/2015 | 11:09:01 AM
Treat web services like any system in the enterprise
If your organization is using a web service of any kind, it should be handled as if it were an in house solution.
  • What purpose will the web service fullfill?
  • Will regulatory data be posted/stored on the service site?
  • If regulatory data is involved, will the service vendor attest to the location of the service systems and the protections provided to those environments (physical and logical)? Example: If the regulatory data falls under HIPAA, the systems cannot exist outside CONUS?
  • Who will "own" the service on behalf of the organization?
  • Who will maintain the service on behalf of the owner?  Are those people properly trained on how to maintain the environment in a responsible and secure manner?
  • Who will be the stewards of the service in terms of utilization standards and oversight?
  • How will access control to the environment be managed?
  • Is there any separation of duties concerns and/or capabilities with the service to help mitigate internal security risks?
  • Who will manage access control?  Are those people properly trained on the access control processes necessary to mitigate risks?
  • What contingency plans are needed to deal with loss of the service?
  • What documentation processes are necessary?  Who will be responsible for the documentation?
  • What auditing capabilities does the service provide?
  • What liability would the organization have if the service is compromised in any way?  What capabilities will the organization have to conduct investigation of incidents?
  • If there is a publicly accessible portion of the service, how can public relations functions in the organization manage public release activities in the service?
  • Has management accepted any risks identified with the organizations use of the services?

This is just a quick off the cuff list.
I am sure there are many other questions that could be developed in this effort. 
User Rank: Ninja
3/11/2015 | 6:53:25 AM
IT guy
I work with a few Wordpress sites and thankfully there's always someone around to ask if there's a potential problem. I'm glad I'm not managing them though as security headaches are not my cup of tea at all. 

Still, I make sure to practice good security for my end of things and have a monster of a difficult password for each of them. 
User Rank: Apprentice
3/11/2015 | 5:58:06 AM
WordPress itself can be vulnerable too
WordPress also has its vulnerabilities from time to time. In last November, a critical cross-site scripting vulnerability affected WordPress sites, which could enable anonymous users to compromise a site. 

This article demonstrates a practical exploit of this vulnerability. Be sure you update to 4.0.1, 3.9.3, 3.8.5, or 3.7.5 to keep everything secure.

Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...