Skip navigation

WordPress Security Prevention, Reactions, and Scares

Matt Mullenweg spoke out recently on the recent bogus “SecurityFocus SQL Injection” fear spreading across the web. There is a huge perception today that WordPress is a security risk. This is not true.

As Matt discussed, fears of SQL server vulnerabilities and other security issues have gotten out of control, for WordPress as well as other open source and proprietary programs, which he likened to “running into a crowded theatre and yell ‘fire’ and the less basis there is in fact the more people link to them. It’s not uncommon to see crying-wolf reports like the above several times in a week…”

Jeff Jones, a software security expert, dug into the history of a recent SQL server issue and reported:

Last week a web-based news story comes to my attention which asserted that last year SQL Server had “…most vulnerabilities last year of any commercial database…” That prompted me to do some fact checking and I thought it worth documenting the real (really good) story of SQL vulnerabilities and what commercial database had the most vulnerabilities last year…

So. One thing is clear from the rudimentary investigation I’ve performed here – SQL Server was not even close to having the most vulnerabilities last year of any commercial database.

In fact, though SQL 2000 Server may have had a rough track record up through 2003, the SQL team has certainly turned a corner since then and SQL Server 2005 has had one of the best security track records of any commercial database ever.

In a report on his Security Blog, Internet Explorer and Firefox Vulnerability Analysis (pdf), Jones reported that has had more security vulnerabilities than Internet Explorer, even though it is a widely held belief that FireFox is the “better” browser.

When a security issue came up with , it was fixed within 10 minutes of being reported. Yet, the news spread around for days that WordPress.com was a security risk.

Perception is everything. In another report and analysis, Jeff Jones reports on the increasing number of disclosures influencing the perception of security issues and vulnerabilities as they catch the public eye.

The number of disclosures of new software vulnerabilities across the industry continues
to be in the thousands, with more than 3,400 new vulnerabilities disclosed in 1H07 [first half of 2007]. But this number actually represents a decrease from 2H06, the first period-to-period decline in total vulnerabilities since 2003.

There are a couple of other interesting results that I want to call out that you should examine with more detail in the full report:

* Social engineering plays a growing role in overall malware attack techniques. This is a key result since even with vulnerability-free software, these techniques could succeed against users of any platform.
* Windows Defender has proportionally detected 2.8 times less potentially unwanted software on computers running Windows Vista than on computers running Windows XP SP2, based on normalized data. This is a practical measure of benefit that is somewhat more valuable in my opinion than vulnerability comparisons.

As Matt said, the more sensational and invalid the security scare, the more likely it is to be spread in this age of social networking where anyone can have their say and link. Even sites with few security problems quickly get a bad reputation. We need to pay attention to the serious threats so these cries of fire do not become cries of wolf.

How Vulnerable is WordPress?

So how vulnerable is WordPress compared to other blog and CMS platforms? The US National Institute of Standards and Technology – National Vulnerabilities Database tracks reported WordPress Security Vulnerabilities from the earliest years. Let’s compare WordPress to Joomla and Drupal:

Platform 2005 2006 2007 2008
WordPress 11 18 49 34
Joomla 4 28 31 12
Drupal 6 17 16 8

Is the recent high numbers due to increased usage and popularity of WordPress? Is it because it is becoming a target of those who want to find ways of breaking WordPress? Is it because there is a dedicated WordPress Community to uncover and report such issues? Is it because there are so many who care that WordPress remains safe and secure?

With more and more people using WordPress, more and more hackers are digging into the core to find ways of breaking WordPress. Luckily, there are enough “white hat heroes” that report the vulnerabilities they find rather than exploiting them, helping the team improve WordPress constantly.

Is My WordPress Blog Safe?

wordpress-securityMatt also also offered some sensible tips and information for those worried about the “increasing security threats” to WordPress. His recommendations: Update WordPress. Use common sense. Use strong passwords. Be aware.

Always keep a backup copy of the latest version of WordPress, your WordPress Theme, a full backup of your WordPress database, WordPress Plugins, and copies of all the images and files on your host server. If something does happen, you may need these backups to restore your blog.

To keep your WordPress blog safe:

  1. Update WordPress.
  2. Update your WordPress Theme.
  3. Update WordPress Plugins.
  4. Monitor WordPress news sources for alerts about security vulnerabilities and upgrades, such as WordPress Wednesday news on the Blog Herald, (official WordPress aggregator), the , and .

To check your blog now for unwanted links and hacking attempts:

  • Install and run the WP Scanner WordPress Plugin from Blog Security.
  • In FireFox, go to Tools > Page Info > Links (not available in FireFox 3 Beta) and check each link to ensure you put it there and it goes to sources you trust. Manually view the page source code of your blog (View > Page Source) and check to ensure each link is trustworthy. Is each link a link you want on your blog?
  • Examine your WordPress Theme template files, especially the header.php and footer.php for unwanted content and links. If you didn’t put it there, who did? Do you want it there?
  • Check random posts on your blog for unwanted content and links. Edit these through the Administration Panels to remove the unwanted content from the database.
  • Search your template files, stylesheets, and database for display:none and/or height:0 as these are common styles used to hide unwanted content and links. Remove them from the posts or files accordingly. I recommend Silpstream’s WP-phpMyAdmin WordPress Plugin for searching the database directly from your WordPress blog.

If you are not using the latest version of WordPress, your blog may be at risk. Currently, WordPress 1x is no longer supported. The WordPress 2.0x branch has been upgraded to 2.1.3 and 2.0.11. See the WordPress Release Archive for past versions of WordPress.

Blog Security recently updated its popular WordPress Whitepaper which reports on security issues and problems with WordPress. It includes tips and step-by-step procedures to improve the security of your WordPress blog, beyond the scope of this article. Also, consider using the WPIDS – WordPress Intruder Detection System Plugin to help you monitor your blog for intruders and attacks.

Related Articles on WordPress Security



Site Search Tags: , , , , , , , , ,

Feed on Lorelle on WordPress Subscribe Feedburner iconVia Feedburner Subscribe by Email Visit
Copyright Lorelle VanFossen, the author of Blogging Tips, What Bloggers Won't Tell You About Blogging.

23 Comments

  1. Posted April 28, 2008 at 6:00 am | Permalink

    Security has done a full circle. At one point, vendors didn’t care much for secure software. Securing software only became important once their research (made public) started affecting sales. This justified the hype.

    We are moving back towards “responsible disclosure”. Which basically means less hype and more prepared responses from companies doing a bad job of releasing insecure software.

    Now for the scary part. I don’t think alot of the vulnerabilities disclosed have been targetted. The vulnerabilities in WordPress that I have discovered have often been found while using the software and not because I was actually looking!

    How many vulnerabilities are actually in these products? At what point is it “irresponsible” for the vendor to release software that has not been through a security lifecycle.

  2. Posted April 28, 2008 at 6:18 am | Permalink

    EVERY software product is going to have security vulnerabilities. Based on a limited amount of coding experience myself, you cannot avoid having security problems, and many times when I have seen new products come out advertised as “100% secure,” a vulnerability is found in just a few days. (Safari for Windows, anyone?) What matters is not how secure or insecure something is, because ANY software product out there is going to be insecure somewhere, and once people figure out where that insecure vulnerability lies, then a new release will come out to patch that hole up, but there will still be others.

    What is more important than the presence of security vulnerabilities is how people respond to them. The developers of WordPress–or the developers of any program, for that matter–have the obligation to respond quickly and appropriately to these exposed vulnerabilities and to fix them before they become exploits, and the users of these programs have their own obligation to stay up-to-date.

    A good example of this is phpBB, which is an open-source forum software that I work closely with and cover. In December 2004, thousands of phpBB forums across the internet got hacked by the infamous “Santy” worm which took advantage of an exploit that had been patched a full month earlier. Many people across the internet screamed bloody murder, and the whole Santy worm debacle “tarnished” phpBB2′s security reputation across the popular press, but all of the affected boards were a couple of months to a few years behind the most-up-to-date version of phpBB, and if they had updated in November, when the “Critical update” had been released, they would have been fine.

    My point is this. The fact that vulnerabilities are frequently discovered in programs is unimportant–what is important is that the developers are quick and ready to respond appropriately to the discovery of vulnerabilities, and that the users of the program follow through on updating. (And in the case of WordPress.com, they don’t even have to worry about updating because the developers do it for them!) If the developers are doing their job but users don’t take the time to stay up-to-date, they have no basis on which to complain.

  3. Martin
    Posted April 28, 2008 at 6:20 am | Permalink

    I have a controversial site which is using WordPress, over the past two years the WordPress software has not been hacked while i’ve been using it. In my view that’s a pretty good sign that WordPress is very stable. I have copped lots of DDoS attacks and hardware failures due to people attacking my site.

    In the long run all sites on the internet can be a target if not look after properly. Follow those steps above and your days blogging should be pretty safe, just common sense really…

  4. Posted April 28, 2008 at 8:52 am | Permalink

    Lorelle

    Maybe you are right about the press coverage WordPress security issues get as compared to the other CMS, but that does not mean there is less risk with one platform as compared to another. If people followed your tips religiously we should notice the incidents lower and make the web a safer place. But many WordPress users do can/willing to run database queries? Even with a plugin?

    Nice to see you are addressing the topic though.

  5. Posted April 28, 2008 at 10:05 am | Permalink

    Is the recent high numbers due to increased usage and popularity of WordPress? Is it because it is becoming a target of those who want to find ways of breaking WordPress? Is it because there is a dedicated WordPress Community to uncover and report such issues? Is it because there are so many who care that WordPress remains safe and secure?

    Or is it because the drupal devs are just more careful? You can’t just gloss over that little nugget as if it doesn’t exist. Articles like this are better without the whitewash component.

    In my view, WordPress has an excellent security record, but thanks to the paragraph I quoted your article is less journalism than advocacy.

  6. Posted April 28, 2008 at 11:05 am | Permalink

    None of the graphs you showed told us anything about the vulnerabilities. For example, though Firefox overall had more vulnerabilities than IE, of the ones found IE had far more critical vulnerabilities.

    This is what needs to be shown – an overall number is terribly misleading and doesn’t inform or educate anyone.

  7. Posted April 28, 2008 at 11:45 am | Permalink

    Those numbers do seem odd. It seems like we’ve fixed 2-3 vulnerabilities in 2008, no where close to 34.

  8. Posted April 28, 2008 at 12:12 pm | Permalink

    @ Matt:

    I, too, questioned their numbers, but this is the “official” source for tracking such reports, though who reports and how they are verified, and whether reports apply to WordPress, WordPressMU, Plugins, or Themes…I don’t know.

    My point was about facts on the ground versus perception and I, like you, know that the WordPress team works overtime to ensure WordPress is as safe as possible, while being flexible, for all users, no matter which platform they are on.

    I’ve always appreciated the transparency of WordPress, so it’s frustrating to not know if people are seriously calling “fire” or “wolf” when these issues come up. We need to talk about them, but we also have to our blogs are safe.

  9. Posted April 28, 2008 at 1:33 pm | Permalink

    The number of vulnerabilities per se means little from a security standpoint. Their severity is most important.

    BTW, I’d like a better back-porting policy for WP regarding security fixes only, because the (rather annoying) tendency of changing API/DB details at the last minute breaks a lot of plugins, so the authors have to catch up and people will not update their blogs.

    I have one blog still on 2.3.3 and it will stay like that until a necessary plugin will be updated. If I could just get the diffs for the security vulnerability, that would be a non issue.

  10. Posted April 28, 2008 at 1:42 pm | Permalink

    I’m in the same boat as Martin. I have some sites running WP that people would love to hack. Most of the efforts I see, however, are all automated scripts trying to guess the root account/password.

  11. Posted April 28, 2008 at 1:50 pm | Permalink

    @ Lorelle

    I’ve always appreciated the transparency of WordPress, so it’s frustrating to not know if people are seriously calling “fire” or “wolf” when these issues come up. We need to talk about them, but we also have to our blogs are safe.

    While we are talking about them, we should also try and engage them in figuring out if they understand things exactly as we see it. Looks like the perception issue is two sided, we are in a way biased about the software we all have fallen in love with. Aren’t we?

  12. Posted April 28, 2008 at 4:17 pm | Permalink

    Great article! It’s amazing how quickly miss-information spreads these days. A little common scense goes a long way. As does strong passwords!

  13. Posted April 28, 2008 at 9:51 pm | Permalink

    As long as you keep your current wordpress version current and up to date you don’t have anything to worry about. WordPress is strong, solid, and reliable. Every software is vulnerable, just when they get on a large scale exploiters attempt more aggressively on finding hacks so that they may be open to a broad audience.

  14. Posted April 29, 2008 at 7:02 am | Permalink

    Lorelle,

    Maybe you are right about the press coverage WordPress security issues get as compared to the other CMS, but that does not mean there is less risk with one platform as compared to another. If people followed your tips religiously we should notice the incidents lower and make the web a safer place. But many WordPress users do can/willing to run database queries? Even with a plugin?

  15. Posted April 29, 2008 at 2:26 pm | Permalink

    A month ago my blog fell attack due to a vulnerability in a COPPERMINE photo gallery installation that was on the same shared host (in my account though). Due to that, it set-off a script adding a line of code to every non-protected php file that would call a .jpg file that was really a javascript trojan. I’ve heard similar issues with other software installed on the same server getting hacked and somehow affecting the wordpress install, no matter how “locked down” it may be. The advice I was given was if you must be on a shared host, make sure ALL your apps are locked down, that or ask your hosting provider if for a small fee if you could get your wordpress blog on it’s own directory separate from any other installs… typically this would be just a reseller account, however if you explain why you would need it, and that you only want ONE (and that it would only be the blog), you’d be surprised at just how many hosting companies will grant you the seperate account for your wordpress blog.

  16. Posted April 30, 2008 at 4:49 am | Permalink

    Backups are really the best form of security around. In spite of the good backup plugins available, few people seem to take advantage of them. I know I sleep better with mine working. I use Mozy for backing up my work PC, cause it’s a simple no brainer. It amazes me though, how many of my friends that I told about it have stopped using it. Go figure.

  17. Posted May 1, 2008 at 9:17 am | Permalink

    Joomla, Drupal, really? That’s an apples to oranges comparison no? A more realistic number is security in comparison to MT. The WP fanbois fan these flames with their thin skins. They’ll blast other platforms all-day long, but then when the criticism is on their platform, the whole word is out to get them.

  18. Posted May 2, 2008 at 1:28 am | Permalink

    Of course nothing can give you the same level of comfort that .htaccess authentication can, at least from automated bots.

  19. mrtorbert
    Posted May 3, 2008 at 11:53 am | Permalink

    Don’t forget about http://wordpress.org/extend/plugins/wp-security-scan/
    WP Security Scan

  20. Posted May 8, 2008 at 4:22 am | Permalink

    what i am doing is just install, remove, and upgrade for my wordpress. thanks for the tips, it really help me to keep my wordpress secure..

  21. weez
    Posted February 13, 2009 at 9:31 am | Permalink

    In response to comment number 2 (Douglas Bell).

    Most people don’t realize that it is possible to write software that is 100% bugfree, and thus no security issues. Daniel J Bernstein has done this many times (in addition to freeing encryption software for public use in Bernstein v. United States). Qmail is one of his contributions to the world. His DNS software in addition to being fast was immune to the recent DNS security issues ~10 years before anyone else. Check out his wikipedia entry

    • Posted February 13, 2009 at 2:50 pm | Permalink

      While this might be true, security vulnerabilities are found long after “perfectly formed” software is written, including the core code that created the Internet, which was only found last year. Programming that relies upon PHP, MySQL, Apache, operating systems, and other code from other sources occasionally have vulnerabilities uncovered – so does that make the original programming at fault? No, but people blame it anyway, as in the case of WordPress.

      Honestly, few things human made are perfect or error free. I’m sure this person is good, but that doesn’t change the truth.

  22. weez
    Posted February 13, 2009 at 3:46 pm | Permalink

    The truth is that no blanket statements are true. That was my point in my original comment. It is possible to write error free code (or very very close to it) if that is your goal. In addition to rigorous testing requirements, you will have to do additional vetting on every piece that your system relies on, and for those that don’t past muster, you will need to recreate them from scratch with security in mind. These are the conditions that DJB (mentioned above) worked under. His top goal was security, and he threw away error prone parts of the C library and wrote his own to help ensure that goal.

    The last I checked, no dynamic language interpreters were created with security being the number one goal. The security track record of all of them reflects that. Someone should go create a dynamic language from the ground up with security in mind. So yes, for a complex system like WordPress, even if the WordPress developers don’t introduce vulnerabilities, they are still blamed for the weakest link, which could be Apache, PHP, or the kernel of the OS they are working on.


36 Trackbacks/Pingbacks

  1. [...] Lorelle VanFossen desde Lorelle on WordPress, intenta aplacar las habladurías sobre la seguridad de WordPress y explica los motivos por los que ella cree que el número de incidencias recibidas relacionadas [...]

  2. [...] 42) WordPress Security Prevention, Reactions, and Scares [...]

  3. [...] lorelle on wordpress:wordpress security prevention, reactions, and scares [...]

  4. [...] “WordPress Security Prevention, Reactions, and Scares,” Lorelle VanFossen notes recent information about general Web security and specifically [...]

  5. [...] Read this: http://lorelle.wordpress.com/2008/04/28/wordpress-security-prevention-reactions-and-scares/ [...]

  6. [...] the full article to see how Lorelle responded to our questions about security risk of [...]

  7. [...] and scares going around about security issues and WordPress, I addressed some of this in WordPress Security Prevention, Reactions, and Scares. The best recommendation to protect your blog from hackers? [...]

  8. [...] on WordPress ha pubblicato il post WordPress: prevenzione della sicurezza, reazioni e paure, un’interessante discussione sulla sicurezza di WordPress, la sua percezione e una [...]

  9. [...] on WordPress published the post WordPress Security Prevention, Reactions, and Scares, a nice discussion about the security of WordPress, its perception, a comparison with other popular [...]

  10. [...] te preocupa la seguridad de tu WordPress, deberías leer este blog, en el que explican las vulnerabilidades y como [...]

  11. [...] prima Überblick zum Thema WordPress und Sicherheit: WordPress Security Prevention, Reactions, and Scares. Das betrifft WordPress-Nutzer, die das System eigenhändig auf ihren Webserver aufgespielt [...]

  12. [...] Lorelle on WordPress Security [...]

  13. [...] covered a lot of issues on how to find out if your block has been hacked in WordPress Security Prevention, Reactions, and Scares. Remember, the best protection from most hackers and security vulnerabilities is prevention. Update [...]

  14. [...] between the authors, some focusing on WordPress’s security problems, some claiming that WordPress security is actually great. One “smackdown” closely awarded the title to WordPress for the many plugins available, [...]

  15. [...] WordPress Security Prevention, Reactions, and Scares by Lorelle talks about controversy of SQL injection report and provides tips on dealing with security of your blog. [...]

  16. [...] 8 Security Tips and Guidelines for Your WordPress Blog, WordPress Security Tips and Hacks, WordPress Security Prevention, Reactions and Scares e WordPress Security Issues Lead to Mass Hacking. Is Your Blog [...]

  17. [...] WordPress Security Prevention, Reactions and Scares >> Lorelle on WordPress [...]

  18. [...] WordPress Security Prevention, Reactions, and Scares « Lorelle on WordPress (tags: wordpress security) [...]

  19. [...] man hat keinerlei Aufwand für Installation und Betrieb. Zudem muss man sich nicht mit aktuellen Sicherheitsfragen der Software [...]

  20. [...] WordPress Security Prevention [...]

  21. [...] Blog Hacked? If your WordPress blog has been hacked, don’t blame WordPress. WordPress mandatory security upgrades and patches are announced as [...]

  22. [...] Some search engines and directories are considering penalizing page rank or not indexing old versions of WordPress due to security vulnerabilities and failure to upgrade (few spam sites upgrade). For more information, see Technorati: Vulnerable WordPress Blogs Not Being Indexed, Matt Cutts: Alerting Webmasters to Webserver Vulnerabilities, Fear, Uncertainty and Disinformation About The WordPress Exploits and Spam, and WordPress Security Prevention, Reactions, and Scares. [...]

  23. [...] Some search engines and directories are considering penalizing page rank or not indexing old versions of WordPress due to security vulnerabilities and failure to upgrade (few spam sites upgrade). For more information, see Technorati: Vulnerable WordPress Blogs Not Being Indexed, Matt Cutts: Alerting Webmasters to Webserver Vulnerabilities, Fear, Uncertainty and Disinformation About The WordPress Exploits and Spam, and WordPress Security Prevention, Reactions, and Scares. [...]

  24. [...] Some search engines and directories are considering penalizing page rank or not indexing old versions of WordPress due to security vulnerabilities and failure to upgrade (few spam sites upgrade). For more information, see Technorati: Vulnerable WordPress Blogs Not Being Indexed, Matt Cutts: Alerting Webmasters to Webserver Vulnerabilities, Fear, Uncertainty and Disinformation About The WordPress Exploits and Spam, and WordPress Security Prevention, Reactions, and Scares. [...]

  25. [...] responds immediately to any security vulnerabilities with patches and upgrades for their core program, and offer alerts for security issues on WordPress [...]

  26. [...] Lorelle on WordPress – WordPress Security Prevention, Reactions, and Scares [...]

  27. [...] WordPress Security Prevention, Reactions, and Scares [...]

  28. [...] WordPress Security Prevention, Reactions, and Scares [...]

  29. [...] WordPress Security Prevention, Reactions, and Scares [...]

  30. [...] WordPress Security Prevention, Reactions, and Scares [...]

  31. [...] WordPress Security Prevention, Reactions, and Scares [...]

  32. [...] Lorelle on WordPress Security [...]

  33. [...] WordPress Security Prevention, Reactions, and Scares « Lorelle on … [...]

  34. [...] WordPress Security Prevention, Reactions, and Scares [...]

  35. […] WordPress Security Prevention, Reactions, and Scares « Lorelle on … […]

  36. […] users are not the only ones who need to watch themselves and protect themselves from security vulnerabilities and […]

Post a Comment

Follow

Get every new post delivered to your Inbox.

Join 20,107 other followers

%d bloggers like this: