Matt Mullenweg spoke out recently on the recent bogus “SecurityFocus SQL Injection” fear spreading across the web. There is a huge perception today that WordPress is a security risk. This is not true.
As Matt discussed, fears of SQL server vulnerabilities and other security issues have gotten out of control, for WordPress as well as other open source and proprietary programs, which he likened to “running into a crowded theatre and yell ‘fire’ and the less basis there is in fact the more people link to them. It’s not uncommon to see crying-wolf reports like the above several times in a week…”
Jeff Jones, a software security expert, dug into the history of a recent SQL server issue and reported:
Last week a web-based news story comes to my attention which asserted that last year SQL Server had “…most vulnerabilities last year of any commercial database…” That prompted me to do some fact checking and I thought it worth documenting the real (really good) story of SQL vulnerabilities and what commercial database had the most vulnerabilities last year…
So. One thing is clear from the rudimentary investigation I’ve performed here - SQL Server was not even close to having the most vulnerabilities last year of any commercial database.
In fact, though SQL 2000 Server may have had a rough track record up through 2003, the SQL team has certainly turned a corner since then and SQL Server 2005 has had one of the best security track records of any commercial database ever.
In a report on his Security Blog, Internet Explorer and Firefox Vulnerability Analysis (pdf), Jones reported that FireFox has had more security vulnerabilities than Internet Explorer, even though it is a widely held belief that FireFox is the “better” browser.
When a security issue came up with WordPress.com, it was fixed within 10 minutes of being reported. Yet, the news spread around for days that WordPress.com was a security risk.
Perception is everything. In another report and analysis, Jeff Jones reports on the increasing number of disclosures influencing the perception of security issues and vulnerabilities as they catch the public eye.
The number of disclosures of new software vulnerabilities across the industry continues
to be in the thousands, with more than 3,400 new vulnerabilities disclosed in 1H07 [first half of 2007]. But this number actually represents a decrease from 2H06, the first period-to-period decline in total vulnerabilities since 2003.There are a couple of other interesting results that I want to call out that you should examine with more detail in the full report:
* Social engineering plays a growing role in overall malware attack techniques. This is a key result since even with vulnerability-free software, these techniques could succeed against users of any platform.
* Windows Defender has proportionally detected 2.8 times less potentially unwanted software on computers running Windows Vista than on computers running Windows XP SP2, based on normalized data. This is a practical measure of benefit that is somewhat more valuable in my opinion than vulnerability comparisons.
As Matt said, the more sensational and invalid the security scare, the more likely it is to be spread in this age of social networking where anyone can have their say and link. Even sites with few security problems quickly get a bad reputation. We need to pay attention to the serious threats so these cries of fire do not become cries of wolf.
How Vulnerable is WordPress?
So how vulnerable is WordPress compared to other blog and CMS platforms? The US National Institute of Standards and Technology - National Vulnerabilities Database tracks reported WordPress Security Vulnerabilities from the earliest years. Let’s compare WordPress to Joomla and Drupal:
| Platform | 2005 | 2006 | 2007 | 2008 |
| WordPress | 11 | 18 | 49 | 34 |
| Joomla | 4 | 28 | 31 | 12 |
| Drupal | 6 | 17 | 16 | 8 |
Is the recent high numbers due to increased usage and popularity of WordPress? Is it because it is becoming a target of those who want to find ways of breaking WordPress? Is it because there is a dedicated WordPress Community to uncover and report such issues? Is it because there are so many who care that WordPress remains safe and secure?
With more and more people using WordPress, more and more hackers are digging into the core to find ways of breaking WordPress. Luckily, there are enough “white hat heroes” that report the vulnerabilities they find rather than exploiting them, helping the Automattic team improve WordPress constantly.
Is My WordPress Blog Safe?
Matt also also offered some sensible tips and information for those worried about the “increasing security threats” to WordPress. His recommendations: Update WordPress. Use common sense. Use strong passwords. Be aware.
Always keep a backup copy of the latest version of WordPress, your WordPress Theme, a full backup of your WordPress database, WordPress Plugins, and copies of all the images and files on your host server. If something does happen, you may need these backups to restore your blog.
To keep your WordPress blog safe:
- Update WordPress.
- Update your WordPress Theme.
- Update WordPress Plugins.
- Monitor WordPress news sources for alerts about security vulnerabilities and upgrades, such as WordPress Wednesday news on the Blog Herald, WordPress Planet (official WordPress aggregator), the WordPress Development Blog, and Weblog Tools Collection.
To check your blog now for unwanted links and hacking attempts:
- Install and run the WP Scanner WordPress Plugin from Blog Security.
- In FireFox, go to Tools > Page Info > Links (not available in FireFox 3 Beta) and check each link to ensure you put it there and it goes to sources you trust. Manually view the page source code of your blog (View > Page Source) and check to ensure each link is trustworthy. Is each link a link you want on your blog?
- Examine your WordPress Theme template files, especially the
header.phpandfooter.phpfor unwanted content and links. If you didn’t put it there, who did? Do you want it there? - Check random posts on your blog for unwanted content and links. Edit these through the Administration Panels to remove the unwanted content from the database.
- Search your template files, stylesheets, and database for
display:noneand/orheight:0as these are common styles used to hide unwanted content and links. Remove them from the posts or files accordingly. I recommend Silpstream’s WP-phpMyAdmin WordPress Plugin for searching the database directly from your WordPress blog.
If you are not using the latest version of WordPress, your blog may be at risk. Currently, WordPress 1x is no longer supported. The WordPress 2.0x branch has been upgraded to 2.1.3 and 2.0.11. See the WordPress Release Archive for past versions of WordPress.
Blog Security recently updated its popular WordPress Whitepaper which reports on security issues and problems with WordPress. It includes tips and step-by-step procedures to improve the security of your WordPress blog, beyond the scope of this article. Also, consider using the WPIDS - WordPress Intruder Detection System Plugin to help you monitor your blog for intruders and attacks.
Related Articles on WordPress Security
- WordPress 2.5, Security Issues, Plugins Updated, WordPress vs WordPressMU
- Daily Blog Tips - Make Sure Your WordPress is Not Hacked
- Donncha - There’s Never Been A Better Time To Upgrade WordPress
- Blog Security - Interview of a WordPress Hacker
- Noupe - WordPress Security Tips and Hacks
Site Search Tags: wordpress news, wordpress security, wordpress vulnerabilities, security vulnerabilities, wordpress risk, is wordpress safe, wordpress tips, security, safety, blog security
Subscribe 
Via Feedburner 
Subscribe by Email 
Visit
Copyright Lorelle VanFossen, the author of Blogging Tips, What Bloggers Won't Tell You About Blogging.
20 Comments
Security has done a full circle. At one point, vendors didn’t care much for secure software. Securing software only became important once their research (made public) started affecting sales. This justified the hype.
We are moving back towards “responsible disclosure”. Which basically means less hype and more prepared responses from companies doing a bad job of releasing insecure software.
Now for the scary part. I don’t think alot of the vulnerabilities disclosed have been targetted. The vulnerabilities in WordPress that I have discovered have often been found while using the software and not because I was actually looking!
How many vulnerabilities are actually in these products? At what point is it “irresponsible” for the vendor to release software that has not been through a security lifecycle.
EVERY software product is going to have security vulnerabilities. Based on a limited amount of coding experience myself, you cannot avoid having security problems, and many times when I have seen new products come out advertised as “100% secure,” a vulnerability is found in just a few days. (Safari for Windows, anyone?) What matters is not how secure or insecure something is, because ANY software product out there is going to be insecure somewhere, and once people figure out where that insecure vulnerability lies, then a new release will come out to patch that hole up, but there will still be others.
What is more important than the presence of security vulnerabilities is how people respond to them. The developers of WordPress–or the developers of any program, for that matter–have the obligation to respond quickly and appropriately to these exposed vulnerabilities and to fix them before they become exploits, and the users of these programs have their own obligation to stay up-to-date.
A good example of this is phpBB, which is an open-source forum software that I work closely with and cover. In December 2004, thousands of phpBB forums across the internet got hacked by the infamous “Santy” worm which took advantage of an exploit that had been patched a full month earlier. Many people across the internet screamed bloody murder, and the whole Santy worm debacle “tarnished” phpBB2’s security reputation across the popular press, but all of the affected boards were a couple of months to a few years behind the most-up-to-date version of phpBB, and if they had updated in November, when the “Critical update” had been released, they would have been fine.
My point is this. The fact that vulnerabilities are frequently discovered in programs is unimportant–what is important is that the developers are quick and ready to respond appropriately to the discovery of vulnerabilities, and that the users of the program follow through on updating. (And in the case of WordPress.com, they don’t even have to worry about updating because the developers do it for them!) If the developers are doing their job but users don’t take the time to stay up-to-date, they have no basis on which to complain.
I have a controversial site which is using WordPress, over the past two years the WordPress software has not been hacked while i’ve been using it. In my view that’s a pretty good sign that WordPress is very stable. I have copped lots of DDoS attacks and hardware failures due to people attacking my site.
In the long run all sites on the internet can be a target if not look after properly. Follow those steps above and your days blogging should be pretty safe, just common sense really…
Lorelle
Maybe you are right about the press coverage WordPress security issues get as compared to the other CMS, but that does not mean there is less risk with one platform as compared to another. If people followed your tips religiously we should notice the incidents lower and make the web a safer place. But many WordPress users do can/willing to run database queries? Even with a plugin?
Nice to see you are addressing the topic though.
Or is it because the drupal devs are just more careful? You can’t just gloss over that little nugget as if it doesn’t exist. Articles like this are better without the whitewash component.
In my view, WordPress has an excellent security record, but thanks to the paragraph I quoted your article is less journalism than advocacy.
None of the graphs you showed told us anything about the vulnerabilities. For example, though Firefox overall had more vulnerabilities than IE, of the ones found IE had far more critical vulnerabilities.
This is what needs to be shown - an overall number is terribly misleading and doesn’t inform or educate anyone.
Those numbers do seem odd. It seems like we’ve fixed 2-3 vulnerabilities in 2008, no where close to 34.
@ Matt:
I, too, questioned their numbers, but this is the “official” source for tracking such reports, though who reports and how they are verified, and whether reports apply to WordPress, WordPressMU, Plugins, or Themes…I don’t know.
My point was about facts on the ground versus perception and I, like you, know that the WordPress team works overtime to ensure WordPress is as safe as possible, while being flexible, for all users, no matter which platform they are on.
I’ve always appreciated the transparency of WordPress, so it’s frustrating to not know if people are seriously calling “fire” or “wolf” when these issues come up. We need to talk about them, but we also have to our blogs are safe.
The number of vulnerabilities per se means little from a security standpoint. Their severity is most important.
BTW, I’d like a better back-porting policy for WP regarding security fixes only, because the (rather annoying) tendency of changing API/DB details at the last minute breaks a lot of plugins, so the authors have to catch up and people will not update their blogs.
I have one blog still on 2.3.3 and it will stay like that until a necessary plugin will be updated. If I could just get the diffs for the security vulnerability, that would be a non issue.
I’m in the same boat as Martin. I have some sites running WP that people would love to hack. Most of the efforts I see, however, are all automated scripts trying to guess the root account/password.
@ Lorelle
While we are talking about them, we should also try and engage them in figuring out if they understand things exactly as we see it. Looks like the perception issue is two sided, we are in a way biased about the software we all have fallen in love with. Aren’t we?
Great article! It’s amazing how quickly miss-information spreads these days. A little common scense goes a long way. As does strong passwords!
As long as you keep your current wordpress version current and up to date you don’t have anything to worry about. WordPress is strong, solid, and reliable. Every software is vulnerable, just when they get on a large scale exploiters attempt more aggressively on finding hacks so that they may be open to a broad audience.
Lorelle,
Maybe you are right about the press coverage WordPress security issues get as compared to the other CMS, but that does not mean there is less risk with one platform as compared to another. If people followed your tips religiously we should notice the incidents lower and make the web a safer place. But many WordPress users do can/willing to run database queries? Even with a plugin?
A month ago my blog fell attack due to a vulnerability in a COPPERMINE photo gallery installation that was on the same shared host (in my account though). Due to that, it set-off a script adding a line of code to every non-protected php file that would call a .jpg file that was really a javascript trojan. I’ve heard similar issues with other software installed on the same server getting hacked and somehow affecting the wordpress install, no matter how “locked down” it may be. The advice I was given was if you must be on a shared host, make sure ALL your apps are locked down, that or ask your hosting provider if for a small fee if you could get your wordpress blog on it’s own directory separate from any other installs… typically this would be just a reseller account, however if you explain why you would need it, and that you only want ONE (and that it would only be the blog), you’d be surprised at just how many hosting companies will grant you the seperate account for your wordpress blog.
Backups are really the best form of security around. In spite of the good backup plugins available, few people seem to take advantage of them. I know I sleep better with mine working. I use Mozy for backing up my work PC, cause it’s a simple no brainer. It amazes me though, how many of my friends that I told about it have stopped using it. Go figure.
Joomla, Drupal, really? That’s an apples to oranges comparison no? A more realistic number is security in comparison to MT. The WP fanbois fan these flames with their thin skins. They’ll blast other platforms all-day long, but then when the criticism is on their platform, the whole word is out to get them.
Of course nothing can give you the same level of comfort that .htaccess authentication can, at least from automated bots.
Don’t forget about http://wordpress.org/extend/plugins/wp-security-scan/
WP Security Scan
what i am doing is just install, remove, and upgrade for my wordpress. thanks for the tips, it really help me to keep my wordpress secure..
11 Trackbacks/Pingbacks
[...] Lorelle VanFossen desde Lorelle on WordPress, intenta aplacar las habladurías sobre la seguridad de WordPress y explica los motivos por los que ella cree que el número de incidencias recibidas relacionadas [...]
[...] 42) WordPress Security Prevention, Reactions, and Scares [...]
[...] lorelle on wordpress:wordpress security prevention, reactions, and scares [...]
[...] “WordPress Security Prevention, Reactions, and Scares,” Lorelle VanFossen notes recent information about general Web security and specifically [...]
[...] Read this: http://lorelle.wordpress.com/2008/04/28/wordpress-security-prevention-reactions-and-scares/ [...]
[...] the full article to see how Lorelle responded to our questions about security risk of [...]
[...] and scares going around about security issues and WordPress, I addressed some of this in WordPress Security Prevention, Reactions, and Scares. The best recommendation to protect your blog from hackers? [...]
[...] on WordPress ha pubblicato il post WordPress: prevenzione della sicurezza, reazioni e paure, un’interessante discussione sulla sicurezza di WordPress, la sua percezione e una [...]
[...] on WordPress published the post WordPress Security Prevention, Reactions, and Scares, a nice discussion about the security of WordPress, its perception, a comparison with other popular [...]
[...] te preocupa la seguridad de tu WordPress, deberías leer este blog, en el que explican las vulnerabilidades y como [...]
[...] prima Überblick zum Thema WordPress und Sicherheit: WordPress Security Prevention, Reactions, and Scares. Das betrifft WordPress-Nutzer, die das System eigenhändig auf ihren Webserver aufgespielt [...]
Post a Comment