Last year, there was a lot of noise about WordPress being especially vulnerable to attacks and hacks. Not all of those reported hacks and wild fire assuptions about WordPress security were true.
Online, apparently, it’s fine for someone to run into a crowded theatre and yell “fire” and the less basis there is in fact the more people link to them. It’s not uncommon to see crying-wolf reports like the above several times in a week, and a big part of what the WP security team is sifting through things to see what’s valid or not.
…All that said, there is a wave of attacks going around targeting old WordPress blogs, particularly those on the 2.1 or 2.2 branch. They’re exploiting problems that have been fixed for a year or more. This typically manifests itself through hidden spam being put on your site, either in the post or in a directory, and people notice when they get dropped from Google. (Google will drop your site if it contains links they consider spammy, you’ll remember this is one of the main reasons I came out against sponsored themes.)
“Sponsored” WordPress Themes were banned from the official WordPress Theme Directory due to inclusion of ads, spam, and malicious links in Themes offered for free, with a hidden price. WordPress Theme scams continue and WordPress users are warned repeatedly to be cautious about downloading and using WordPress Themes without careful inspection and testing.
In the last issue of this series on “Cyber Attacks on the Rise in 2009,” I covered the current spread of the Downadup Worm Infection that uses websites to spread its evil, impacting more than 3.5 million sites worldwide. Such attacks are becoming more rare, but hackers targeting blogs are growing in numbers and resourcefulness. We must be on our guard to protect our blogs more this year than ever before.
Everything has a weak spot, and there are always people hunting for them. With a huge WordPress Community of techno-savvy coders and hackers representing some of the biggest mouths in the world (aka bloggers), word spreads fast when a vulnerability is detected, and action is taken immediately, often fixing it before the issue becomes public.
WordPress is now being used my millions of bloggers, businesses, major corporations, and governments around the world. It is in the best interest of Automattic and WordPress to keep WordPress as secure as possible.
Even so, each is using a unique combination of WordPress Plugins and Theme code that could make it vulnerable to security issues if you aren’t upgrading or paying attention.
How Safe is WordPress?
This doesn’t mean WordPress is safe from hackers. Many WordPress blogs were hacked last year after failing to upgrade immediately. After one major vulnerability was announced and an upgrade issued, a hacker published a list of the blogs he’d found still using the vulnerable version, claiming he would start going down the list and hacking each blog – and he did. After the first few on the list were hacked, word spread, encouraging the rest on the list, and many more, to upgrade immediately.
Many WordPress Themes and Plugins are easily authored by people with little or no experience, leaving the door open to all kinds of security issues and vulnerabilities. This is the year many are saying that better standards need to be developed to ensure Themes and Plugins are well coded to prevent such issues.
WordPress 2.7 now includes comment enhancements that include password protection checks and improvements to security from previous versions such as password disabling reset per user, improved password and cookie security improvements, SSL and cookies handling, triple cookie security checks, configuration keys to improve authentication issues, and even HTTPS settings for security protection on WordPress.com blogs.
In “WordPress Security Predictions in 2009,” BlogSecurity says that WordPress and websites were attacked this past year by “Cross-Site Scripting, SQL injection, SQL truncation, Cookie generation weaknesses, Directory Traversal, Arbitrary File Uploads and Cross Site Request Forgery attacks,” along with many other hacks and whacks, and takes a look at what might be in store for WordPress in 2009:
- More fake backdoored WordPress sites exploiting the new WordPress upgrade feature.
- More SQL Injection and Cross-Site Scripting vulnerabilities in the core code and/or new third party codes.
- More WordPress Plugin-related attacks will result in improved secure framework for Plugin developers.
- Attacks through Automattic products and services designed to integrate into WordPress.
- Attacks against WordPress.com.
With the growing popularity of WordPress.com and WordPress, it’s inevitable these products will come under the magnifying lens of hackers, as can any blogging platform or web app. With the growing popularity of Twitter, Facebook, LinkedIn, and YouTube, they also could be the next target of an attacker in 2009.
Luckily, the WordPress Development team is forewarned and forearmed and ready to defend WordPress.
WordPress is Not Alone in the Fight to Protect Bloggers
While WordPress has been open and transparent about most of the security issues its faced, many think other blog platforms like Movable Type and TypePad are more secure. Not according to _ck_ who blogged that Movable Type isn’t good about reporting security issues:
Every so often I come across a comment on the web about how Movable Type “doesn’t have the security issues” that WordPress does, which really annoys me. No one likes bugs but to be misinformed about security is wrong.
The reality is this couldn’t be further from the truth – Movable Type has had at least three security issues this year but Movable Type is to blame for hiding/lying about the situation with no vulnerability reports and leaving people in the dark until they have a fix. So which is worse, warning people ahead of time there’s a vulnerability and not being petty about how it will make you look – or just not telling the users while the hackers already know how to exploit the problem?
Movable Type had several public security issues including the ‘publish post’ Security Bypass Vulnerability in January 2009, Security Update for a cross-site scripting (XSS) vulnerability in June 2008, and Security Update for blog template generation vulnerabilities in January 2008.
Anil Dash of Movable Type commented on security reports in early 2008, admitting that some security issues are handled “in house” before they ever make it to their customers or to the public, so often they are not fully reported:
Movable Type has a proven track record of having excellent security and an established reputation for fixing any known issues quickly. And that history of security is by design. We think there are some key things our community needs to know…
…Movable Type has the best security track record of any popular installable blogging software, according to the U.S. Department of Homeland Security’s own reports…When any issues have been found with Movable Type, they’ve typically been discovered through our own routine security audits, and fixed without ever having been exploited in the wild.
This isn’t an issue of which blog platform is best. All are working hard to protect their users with the resources they have available.
In the next issue in this series, I’ll offer some tips on how to protect thyself and thy blog from security vulnerabilities and hackers.