WordPress Security – Security Boulevard

WordPress Security – Security Boulevard


The internet has revolutionized how people communicate and do business around the globe. Beginning in 2005, the internet became so widespread that almost all businesses began to have a presence online, most notably through a website. Although social media outlets such as Facebook, Twitter, and Instagram have become necessary additions to business marketing, websites are still the backbone of a business’s presence online. Businesses can be grouped in three main ways, brick and mortar stores, which offer customers a location to do business. Virtual, operating entirely online, or even a hybrid, offering customers both in-store and online options. According to thrivemyway.com, more clients and customers are doing business online than offline (thrivemyway.com 2022). In fact, with the low startup costs required to start a virtual business, it’s easier now, more than ever, for people to engage in entrepreneurship.
Some of the most popular online business ideas include dropshipping, e-commerce, blogging, education, and consulting. However, this boom in online business has led to an even bigger surge in need for the marketers, programmers, graphic designers, web designers, web hosting platforms, and content management systems; all online businesses that make virtual business possible for the masses and who all need websites in order to market themselves, sell products and services, and operate in a virtual world.
Content management systems (CMS) make it easier for entrepreneurs to create websites. Many offer web hosting services, as well as popular web design templates that can be easily customized to a customer’s preferences. The web design templates work on both desktops and mobile devices and can include plugins that offer photo and video and virtual bots to answer questions. Plugins can even be used to process payments and manage shipping and inventory. Content Management Systems have simplified web hosting and design and make it possible for nearly anyone to create their own website. What used to take months and days and required advanced knowledge of programming can now be accomplished in a matter of hours by anyone with basic knowledge of a computer.
Some of the most popular content management systems and web hosting platforms include: Wix, Shopify, Joomla, Drupal, Squarespace, and WordPress, with WordPress being by far the most popular option. According to w3techs.com, WordPress has a market share of 64.2% and in use by nearly 43% of all websites (w3techs.com 2022).
WordPress is a free, open-source content management system (CMS), meaning that the program itself is free to use, and that the software, which is written in PHP, is also free to use, copy, study, and change; encouraging others to the like to edit and improve the software (WordPress.org 2022)(gnu.org 2022). Although the program itself is free, it requires the use of a domain name (web address), and an Internet hosting service, a datacenter that stores the website’s information and uses a server to connect it to the internet; a service that is not free.
WordPress was originally developed as a blog-publishing system like Open Diary and Live Journal, sites that publish a user’s post in reverse chronological order. WordPress then uses a system of templates, known internally as “themes,” which provide users to choose the site structure and appearance. Users then use Plug-ins, to add features such as contact forms, analytic software, payment processing, advanced security features, and more. As of 2022, there are over 59,000 different plugins to choose from (WordPress 2022). Many of the plugins, called “extensions,” are free to use, however, many of the plugins can range from $19 to $500, with some requiring subscription services that use recurring payments (kinsta.com 2021).
The popularity of WordPress as a powerful tool for web production has also made it the target for hackers. Since 2007, WordPress has faced numerous cyber security attacks both through the software itself and through its plugins, which due to the specific architecture of WordPress, leave them vulnerable to SQL injections. According to a 2012 Article by Microsoft titled “SQL Injection,” “SQL injections insert malicious code into user-input variables that are concatenated with SQL commands and executed into strings that are later passed to an instance of SQL Server.” The article goes on to say that less direct attacks inject “malicious code into strings that are destined for storage in a table or as metadata. When the stored strings are subsequently concatenated into a dynamic SQL command, the malicious code is executed.” In short, the process works by using user input forms to both insert new commands and ignore old commands by generating comment marks in the code (Microsoft 2012).
In fact, any part of a site that allows a user to submit data is susceptible to SQL Injection, and can include anything from contact forms, comments sections, to quizzes. SQL Injection allows attackers to access databases containing sensitive information and even the ability to modify existing code. For example, in 2016, a group of Russian hackers used SQL Injection to obtain sensitive information about US voters including names, addresses, and Social Security numbers (Rodriguez 2022).
According to Threadwatch.org, a 2007 study revealed that 98% of WordPress sites were running outdated and unsupported versions of the software and were vulnerable to attack. The study used 50 randomly selected sites and found that 49 out of 50 were vulnerable (Threadwatch.org 2007). In December 2008, WordPress introduced a “one-click,” software update to make it easier for users to update their software and thus be protected against security threats. The article titled “Yet another WordPress release” cites the software openness as both a blessing and a curse,

“In general, the fact that security issues and bugs in WordPress are discovered and patched quickly is a testament to the agility of its community. This is partly because it’s open-source, so it’s easy to find and fix bugs (no security by obscurity here); and also due to the fact that so many people use the software.”

DevOps Connect:DevSecOps @ RSAC 2022

The article goes on to say that “WordPress is so popular and so open, leaks are often discovered and massively exploited by black hats even faster than they can be fixed. I’ve seen plenty of hijacked WordPress blogs” (realstorygroup.com 2009).

In a 2007 interview, the founder of the PHP Security Response Team, Stefan Esser, stated that while doing research on charset problems in web applications, he found an injection vulnerability in WordPress’s PHP code.

“I was scanning several PHP applications for their usage of charset functionality and ended up in the WordPress trackback code. When I saw how WordPress accepted arbitrary charsets and decoded data just before using it in database queries I knew immediately that UTF7 could be used to get an SQL injection through. Exploiting this is not difficult, but the naive approach to exploit the trackback injection is very noisy and will result in a lot of emails being sent to admin. If you look at the code of my exploit that was shared with the WordPress authors and was later on milw0rm.com, you will see that I used some tricks to get around this problem. So the basic exploit was simple, but doing it silently was not.

Esser goes on to say that WordPress downplayed the seriousness of the security threat, and that when the updated software was finally released, WordPress failed to notify customers of new security threats. Instead, WordPress silently updated the software several hours later, leaving many customers thinking that their software was up to date, when in fact, they were unknowingly vulnerable to attack.

He goes on to say that:

“WordPress is a software for end users with low or no technical know how. Of course there are also admins and developers using it, but the majority of WordPress users do not read security mailing lists. They will usually not know about all the security flaws that were found. And I am sure the majority of them will just upgrade if they learn about the security update and do not think much about it. The majority do not care about these vulnerabilities until their own blogs get hacked, and even
then, they might simply reinstall and start over. That said, I believe that the security holes in WordPress might scare some developers/admins away but the majority of its users will continue to use it.”

Esser concludes by saying:

“I don’t know too many WordPress alternatives. Basically, for me, there is just Serendipity/S9Y. In my opinion, the Serendipity code quality is better than the WordPress code quality, but Serendipity is simply not as user-friendly.”

In a 2013 article titled: “Popular WordPress E-Commerce Plugins Riddled With Security Flaws,” Robert Westervelt writes how Israeli application security firm Checkmarx found that 70% of the most popular e-commerce plugins contain vulnerabilities to both SQL injections and cross-site scripting flaws. Founder and CTO of Checkmarx Maty Siman say that “Every developer can upload their plugin to the WordPress.org market, and any user can download that plugin with no security assurance process in place.” Maty goes on to say that “In certain cases, you can exploit a vulnerability to get full access control to the hosting server, and in many cases, you can get access to other WordPress sites hosted on the same server.” (Westervelt 2013)
WordPress hasn’t changed the architecture of their software itself, but they have developed many strategies to protect users from SQL Attacks. According to an article by Samantha Rodriguez titled, “How to Prevent SQL Injection Attack in WordPress,” one of the most important ways to prevent an attack is to update both the WordPress and plugin software regularly (Rodriguez 2022). The popularity of WordPress means that it’s a favorite target for hackers, and although programmers have the tools to find cracks in security, unfortunately, so do the hackers. Both the hackers and programmers are engaged in a continuous arms race to attack and defend users’ websites, so the most important step a user can take is to regularly update the software for both WordPress and your installed plugins.
WordPress has also taken steps to protect sensitive data through encryption. Encryption converts the original data, or plaintext, into an alternative form known as ciphertext, a coded text, that can only be read by authorized users. Although encryption doesn’t stop hackers, it prevents them from reading and understanding sensitive information. This is important because your site will be responsible if hackers are able to access and decipher sensitive customer data.
Another important point is to be weary of unpopular plugins. According to Jaime Juviler, in her article “13 WordPress Security Issues & Vulnerabilities You Should Know About,” plugins are responsible for 97% of vulnerabilities; one should be weary of unpopular plugins that may not have the resources to regularly find and fix potential software threats (Juviler 2021).
Some other options to protect your site include: installing security plugins and adding a firewall. Samantha Rodriguez recommends using the All In One WP Security & Firewall plugin. The plugin protects your site against phishing, a technique in which an attacker sends fraudulent messages or emails designed to deceive a person into revealing sensitive information or downloading malware. Emails or messages may resemble legitimate emails or messages and convince a user that they need to urgently access a link to secure their site, stop payments, account closure, etc. The phisher repeatedly sends out information hoping that a system or user will bite. The All In One WP Security & Firewall uses a firewall that blocks IP addresses that cause too many 404 errors, thereby protecting a user from phishing practices (Rodriguez 2022).
I also found “The Ultimate WordPress Security Guide – Step by Step,” to be a helpful resource for securing your WordPress site. They recommend simple changes that can drastically improve the security of your WordPress site. For example, simply changing the default username from admin to a custom username can limit brute force attacks, by making it more difficult to guess both the username and password (wpbeginner.com 2022).
The guide also recommends switching off the built-in code editor. The code editor allows you to edit themes and plugin files in the admin area, an unnecessary feature that is an added security risk (wpbeginner.com 2022).
One of the simplest and most important security measures you can take is to simply limit login attempts. The default WordPress setting lets users make as many login attempts as they want, which also entices would-be hacker’s who use brute force attacks to guess passwords; however, by limiting the number of login attempts, one can block these brute force attacks, and be notified when they do occur. According to “The Ultimate WordPress Security Guide – Step by Step,” the easiest solution is to install a Firewall with the “Login Lockdown Plug-in” (wpbeginner.com 2022).
Finally, the guide recommends adding Two-Factor Authentication, which requires users to log in by using a two-step authentication method. This has become a popular cyber security technique for not just WordPress but for Whatsapp, Gmail, Facebook, and others. The Technique requires users to first use their username and password, followed by using a separate device or application to verify the login attempt. This is also the same Technique used by credit card companies to confirm potentially fraudulent purchases through text message or email. To activate the two-factor authentication method for WordPress, simply download the two-factor authentication plugin and then click the ‘Two Factor Auth’ link located in the admin sidebar of your WordPress account (wpbeginner.com 2022).
Whether we like it or not, WordPress is here to stay. Although many are critical of the security of the site’s PHP language, it is one of the cheapest, most widespread, and most user-friendly web development tools available. Although there have been some hiccups along the way, WordPress has successfully completed cyber attacks by updating its software and developing plugins to boost security. There is no end-all-be-all solution to the security threats, and the best option is to remain diligent by staying up to date with the various plugins and updates to ensure your WordPress site is as secure as possible.

Works Cited:

Esser, Stefan. “Interview with Stefan Esser” DK, 28 June 2007, web.archive.org/web/20121013080700/http://blogsecurity.net/wordpress/interview-280607

Juviler, Jaime. “14 WordPress Security Issues & Vulnerabilities You Should Know About” 15 December 2021, https://blog.hubspot.com/website/wordpress-security-issues


Microsoft, “SQL Injection,” microsoft.com, 10 April 2012.


Rodriguez, Samantha. 2 February 2022, wpengine.com/resources/prevent-sql-injection-attack-wordpress/


“The Ultimate WordPress Security Guide – Step by Step,” 24 January 2022, wpbeginner.com/wordpress-security.


Westervelt, Robert. “Popular WordPress E-Commerce Plugins Riddled With Security Flaws,” CRN.com, 18 June 2013.

The post WordPress Security appeared first on Cyber 72.

*** This is a Security Bloggers Network syndicated blog from Cyber 72 authored by saka. Read the original post at: https://www.cyber72.com/wordpress-security/


Source link