Matt Mullenweg spoke out recently on the recent bogus “SecurityFocus SQL Injection” fear spreading across the web. There is a huge perception today that WordPress is a security risk. This is not true.
As Matt discussed, fears of SQL server vulnerabilities and other security issues have gotten out of control, for WordPress as well as other open source and proprietary programs, which he likened to “running into a crowded theatre and yell ‘fire’ and the less basis there is in fact the more people link to them. It’s not uncommon to see crying-wolf reports like the above several times in a week…”
Last week a web-based news story comes to my attention which asserted that last year SQL Server had “…most vulnerabilities last year of any commercial database…” That prompted me to do some fact checking and I thought it worth documenting the real (really good) story of SQL vulnerabilities and what commercial database had the most vulnerabilities last year…
So. One thing is clear from the rudimentary investigation I’ve performed here – SQL Server was not even close to having the most vulnerabilities last year of any commercial database.
In fact, though SQL 2000 Server may have had a rough track record up through 2003, the SQL team has certainly turned a corner since then and SQL Server 2005 has had one of the best security track records of any commercial database ever.
In a report on his Security Blog, Internet Explorer and Firefox Vulnerability Analysis (pdf), Jones reported that FireFox has had more security vulnerabilities than Internet Explorer, even though it is a widely held belief that FireFox is the “better” browser.
When a security issue came up with WordPress.com, it was fixed within 10 minutes of being reported. Yet, the news spread around for days that WordPress.com was a security risk.
Perception is everything. In another report and analysis, Jeff Jones reports on the increasing number of disclosures influencing the perception of security issues and vulnerabilities as they catch the public eye.
The number of disclosures of new software vulnerabilities across the industry continues
to be in the thousands, with more than 3,400 new vulnerabilities disclosed in 1H07 [first half of 2007]. But this number actually represents a decrease from 2H06, the first period-to-period decline in total vulnerabilities since 2003.
There are a couple of other interesting results that I want to call out that you should examine with more detail in the full report:
* Social engineering plays a growing role in overall malware attack techniques. This is a key result since even with vulnerability-free software, these techniques could succeed against users of any platform.
* Windows Defender has proportionally detected 2.8 times less potentially unwanted software on computers running Windows Vista than on computers running Windows XP SP2, based on normalized data. This is a practical measure of benefit that is somewhat more valuable in my opinion than vulnerability comparisons.
As Matt said, the more sensational and invalid the security scare, the more likely it is to be spread in this age of social networking where anyone can have their say and link. Even sites with few security problems quickly get a bad reputation. We need to pay attention to the serious threats so these cries of fire do not become cries of wolf.
How Vulnerable is WordPress?
So how vulnerable is WordPress compared to other blog and CMS platforms? The US National Institute of Standards and Technology – National Vulnerabilities Database tracks reported WordPress Security Vulnerabilities from the earliest years. Let’s compare WordPress to Joomla and Drupal:
Is the recent high numbers due to increased usage and popularity of WordPress? Is it because it is becoming a target of those who want to find ways of breaking WordPress? Is it because there is a dedicated WordPress Community to uncover and report such issues? Is it because there are so many who care that WordPress remains safe and secure?
With more and more people using WordPress, more and more hackers are digging into the core to find ways of breaking WordPress. Luckily, there are enough “white hat heroes” that report the vulnerabilities they find rather than exploiting them, helping the Automattic team improve WordPress constantly.
Is My WordPress Blog Safe?
Matt also also offered some sensible tips and information for those worried about the “increasing security threats” to WordPress. His recommendations: Update WordPress. Use common sense. Use strong passwords. Be aware.
Always keep a backup copy of the latest version of WordPress, your WordPress Theme, a full backup of your WordPress database, WordPress Plugins, and copies of all the images and files on your host server. If something does happen, you may need these backups to restore your blog.
To keep your WordPress blog safe:
- Update WordPress.
- Update your WordPress Theme.
- Update WordPress Plugins.
- Monitor WordPress news sources for alerts about security vulnerabilities and upgrades, such as WordPress Wednesday news on the Blog Herald, WordPress Planet (official WordPress aggregator), the WordPress Development Blog, and Weblog Tools Collection.
To check your blog now for unwanted links and hacking attempts:
- Install and run the WP Scanner WordPress Plugin from Blog Security.
- In FireFox, go to Tools > Page Info > Links (not available in FireFox 3 Beta) and check each link to ensure you put it there and it goes to sources you trust. Manually view the page source code of your blog (View > Page Source) and check to ensure each link is trustworthy. Is each link a link you want on your blog?
- Examine your WordPress Theme template files, especially the
footer.phpfor unwanted content and links. If you didn’t put it there, who did? Do you want it there?
- Check random posts on your blog for unwanted content and links. Edit these through the Administration Panels to remove the unwanted content from the database.
- Search your template files, stylesheets, and database for
height:0as these are common styles used to hide unwanted content and links. Remove them from the posts or files accordingly. I recommend Silpstream’s WP-phpMyAdmin WordPress Plugin for searching the database directly from your WordPress blog.
If you are not using the latest version of WordPress, your blog may be at risk. Currently, WordPress 1x is no longer supported. The WordPress 2.0x branch has been upgraded to 2.1.3 and 2.0.11. See the WordPress Release Archive for past versions of WordPress.
Blog Security recently updated its popular WordPress Whitepaper which reports on security issues and problems with WordPress. It includes tips and step-by-step procedures to improve the security of your WordPress blog, beyond the scope of this article. Also, consider using the WPIDS – WordPress Intruder Detection System Plugin to help you monitor your blog for intruders and attacks.
Related Articles on WordPress Security
- WordPress 2.5, Security Issues, Plugins Updated, WordPress vs WordPressMU
- Daily Blog Tips – Make Sure Your WordPress is Not Hacked
- Donncha – There’s Never Been A Better Time To Upgrade WordPress
- Blog Security – Interview of a WordPress Hacker
- Noupe – WordPress Security Tips and Hacks