PHP Classes

WordPress Security

Recommend this page to a friend!

      PHP Classes blog  >  What Happened in the ...  >  All threads  >  WordPress Security  >  (Un) Subscribe thread alerts  
Subject:WordPress Security
Summary:Jim Manico is rather pessimistic about Worpress and security
Author:Larry Wakeman
Date:2013-11-20 20:21:05
Update:2013-11-20 23:04:23

  1. WordPress Security   Reply   Report abuse  
Picture of Larry Wakeman Larry Wakeman - 2013-11-20 21:53:38
Wordpress itself is not insecure. The attacks that I have seen against it use security holes outside of Wordpress, itself.

The avenues of attack I am seeing are through ftp and the WP Admin account. The attackes have had three footprints:

1. Code added to header.php to open an iframe that loads malicious code.

2. Code that is loaded as a plugin (or several) and possibly a zip file in the uploads directory. The plugin code did not show itself on the Plugins page but provided a url the attacker could connect to to wreak havoc on the system. In the cases I looked at the goal was to disfigure the site.

3. Code prepended to footer.php and sidebar-footer.php to load code (wp-apps.php) in the document root. A jsquery directory was added to the wp-includes/js directory that contained malicious code. This attack loaded plugins to Firefox (and other browsers) including scorpionsaver.

Again, the attacks were most likely through ftp and possibly but not a likely, the admin account.

Normally these are under the control of the webmaster except that a very large percentage of WP instances are on shared hosting and the ones I have been dealing with were hosted by hosting resellers. One or two layers where the attack can take place that are not under the control of the webmaster.

This does not obviate the need to thoroughly vet any plugins and themes that you intend to install as they are also common vectors for attack. Using the proper coding practices will obviate some of this if one develops plugins and themes.

As a side, my personal site was originally Drupal. This is the CMS that the US Government uses, exclusively (not sure about the Obama Care site). It was a defacement attack by inserting data into the database. It was attacked through the Registration and Commenting components. After fixing the site, I deleted all registered users and disabled commenting. I later moved it to wordpress.

I also had a client (actually I still have the client) who provided hosting on his own server. His webmail client was attacked by adding code to every index.php and index.htm file in the installation.

  2. Re: WordPress Security   Reply   Report abuse  
Picture of Manuel Lemos Manuel Lemos - 2013-11-20 23:04:23 - In reply to message 1 from Larry Wakeman
Right, better follow Jim Manico advice to not put Wordpress, Drupal or other highly targetted platform inside the same hosting as your business applications.

For more information send a message to info at phpclasses dot org.