The front page of CERT/CC, the Carnegie Mellon Software Engineering Institute and cyber security experts, looks back at 2008 as the 20th anniversary of the Morris worm, sometimes called the “Great Worm,” which crippled the Internet in 1988. Created by Robert Morris, now an associate professor at MIT, it was one of the first computer worms to infect the brand new Internet, exploiting known vulnerabilities and causing millions in damages. It also was the first conviction in the United States as part of the 1986 Computer Fraud and Abuse Act.
Years ago, a friend of mine worked for Boeing IT and taught many company workshops and training programs that began with an amusing lecture on “Safe Computer Sex.” She taught fellow employees to take care when flipping floppies to avoid transferring computer program infections across the network. How far we have come from those days.
As our dependence upon the web increased with email communication, spammers, hackers and attackers spread evil through your email inbox. Now, they are attacking our websites, social media tools, and web browsers.
Microsoft announced recently security issues with the Internet Explorer web browser and the dangers of visiting websites that could exploit that security vulnerability. Many warned to not use Internet Explorer until it was patched and updated.
Google created the Browser Security Handbook to help people and developers understand the security issues facing web browsers and the steps to take to protect individuals and web applications.
As mentioned in the last article in this series on web and blog security and hacking, Security and Hacking: The State of WordPress Blogs, WordPress, Movable Type, and other popular web services are not immune from security hacks or vulnerabilities.
Tracking WordPress and Web Security News
WordPress is a web application at its core, and we depend upon web browsers for our blogs and online activity, as well as all the parts and pieces that make our blogs and the Internet run. If any one of those parts or pieces goes bump in the night with a lack of security protection, we all suffer.
WordPress responds immediately to any security vulnerabilities with patches and upgrades for their core program, and offer alerts for security issues on WordPress Themes and Plugins. Reports on security issues are published on the WordPress Development Blog, and on the WordPress.com Blog if the issue relates to WordPress.com bloggers.
Blog Security is behind the WordPress Whitepaper, and reports frequently on security recommendations and information for WordPress. They also offer the WPIDS – WordPress Intruder Detection System Plugin and WP Scanner WordPress Plugin to test your WordPress blog for known security vulnerabilities and issues.
Other resources for tracking security issues across the web that may include WordPress and its related program partners include:
- Microsoft® Malware Protection Center
- Global Security Week: Latest Cyber Crime News
- Cnet – Defense in Depth
- PC World About.com – Online Security
- ZDNet.com – Network Security
- eWeek – Security
- TechNewsWorld: Security News
- Computer Crime and Intellectual Property Section of the US Department of Justice
- BBC News Technology and Security
- ProSecurity Zone
- ZDNet.co.uk Security News
Don’t forget that the WordPress Community is one big news agency for reporting on hacks and attacks towards WordPress blogs. They are also very self-policing and educating as well. During the recent remv.php hacker attack, a lot of bloggers reported that they received emails from their web hosts regarding the
remv.php file creating malicious behavior on WordPress blogs. Hackers place a file called
remv.php into easily accessed WordPress Theme directories to add malicious links and content.
Protecting Your WordPress Blog
The simple answer to protecting your WordPress blog is to upgrade immediately when a mandatory security upgrade is announced.
To thoroughly protect your WordPress blog takes a few more steps:
- Upgrade to the latest version of WordPress and use the new automatic upgrade feature to keep your blog current and secure as possible.
- Backup, backup, backup. Backup your blog’s database. Backup your Theme. Backup your Plugins. Backup all content on your server. Backup everything on a regular basis, and learn how to restore your WordPress blog.
- Use strong passwords for your WordPress blog, as well as FTP, MySQL, and other web access.
- If you changed your server file permissions to open access during testing, making the directories writable and hackable, change them back to a more secure setting.
- Use WordPress Themes and Plugins from known and respected sources like the official WordPress Plugin Directory and WordPress Theme Directory.
- Monitor your WordPress Theme author’s blog regularly for announcements of upgrades. Future versions of WordPress will have an auto upgrade and notification feature for WordPress Themes, making this easier to track and upgrade.
- Use WordPress Plugins found in the WordPress Plugin Directory in order to take advantage of notification and warnings about Plugins through the Administration Panels Plugin update feature.
- If you are reliant upon a WordPress Plugin not in the WordPress Plugin Directory, monitor their site and other WordPress news sites for mention of vulnerabilities or upgrades and upgrade immediately if one is found.
- Monitor WordPress news sites for information on security issues and respond immediately to upgrades and patches.
Take care reporting security issues to the world before reporting them to the proper authorities. Know the difference between a bug and a security vulnerability. Bugs in WordPress are to be reported via the WordPress Bug Report, but security issues are to be made to firstname.lastname@example.org.
For more specifics on protecting your WordPress blog, see Protecting Your WordPress Blog, WordPress Security Prevention, Reactions, and Scares, and Protect Your Blog With a Solid Password.
Again, the best recommendation to protect your blog from hackers? Update. Now.
In the next issue in this series, I’ll talk about how to report a cyber crime.