WordPress Security 101

Last Wednesday I delivered a presentation entitled “WordPress Security 101” which got the discussions started in earnest about WordPress Security among our team.

Here are the takeaways:
  • Keep your blog up to date
  • Don’t use plugins that aren’t in general public use unless you know who wrote them or have thoroughly reviewed the code
  • Forms for reader upload/feedback are the single biggest point of attack – be sure if you code one you use the WordPress “Nonce” function to keep junk off your server
  • Watch out for other programs you may add to your site
  • Keep up to date on both OS and DB – if your host doesn’t do this, get a new host
  • Keep your WordPress installation up to date.  Recent versions will warn you that there is an update available
  • Remove the XML-RPC file if you don’t use an external blog editing program.
The problem we face is that WordPress is an open source program, hence it’s code base and db schema are generally known items.  Since it is in wide use, it is frequent target for attacks.  The good news is that it is patched quickly when vulnerabilities arise.  However, many bloggers never update – I could show you several 1.x level installations – and these are highly insecure.
Let’s get up to date people…and for God’s sake make sure  you get a backup of your database weekly, as well as keeping a local copy of your wp-content/uploads folder – that will allow you to recreate the site if the worst happens.

Techcrunch Says WordPress a Massive Security Risk

(The link to the article is lower in this post, to ensure the proper text appears in the Techcrunch trackback…)

Techcrunch yesterday featured an article by Nik Cubrilovic with the salacious title “WordPress Security Issues Lead To Mass Hacking. Is Your Blog Next?”  – from that article:

Due to its popularity as a blogging platform, WordPress has become a prime target for hackers looking to take over blogs for search-engine optimization (SEO) of other sites they control, traffic-redirection and other purposes. Recently there have been a spate of automated attacks which take advantage of recently discovered security vulnerabilities in WordPress.

To date, WordPress has been keeping up with the security holes by releasing updates within a few days of new exploits being found, but in the past few days new exploits have appeared that nobody seems to have answers for.

Okay, that kind of talk gets my interest.  Funny thing, when I was talking with the Automattic guys (who develop WordPress) yesterday, no mention was made of any new security vulnerabilities.  So I had a look at the stuff he cites  as “the past couple days” and the issues are all over a year old, and affect out of date versions of the software, and are remedied in current releases.

So we have a situation in which one of two things is happening:

  • This is a “hit job” on Automattic by Techcrunch for reason or reasons unknown – if so, shame on you…
  • Or…there are vulnerabilities which Techcrunch did not identify so as to allow WordPress to come up with a fix.  If this is the case, I applaud their handling of the issue.

Either way, Techcrunch in general, and Nik Cubrilovic in  particular need to clarify the existence of new security holes, and they need to do it fast.