Analyzing WordPress Security - Case Study Example

?Analyzing WordPress Security Table of Contents Bibliography 11 Introduction The information security is the process of securing secret data and information from being damaged or accessed by unauthorized persons. In addition, the data and information must be protected to access it from illegal persons. At the present, information security has become a serious challenge not only for the business organizations but also for the individuals. In the past few years, WordPress has appeared as a most powerful and attractive blogging platform, which has not become a significant target for hackers searching for getting over blogs for search engine optimization (SEO), hacking or illegally controlling website traffic to re-direct it and for various other reasons. In addition, at the present, there have emerged a number of dangerous automated security breaches and threats that take advantage of newly discovered privacy and security issues and vulnerabilities in WordPress. Until now, WordPress has been dealing with the security holes by releasing updates within a few days To date, WordPress has been dealing with the security holes by releasing updates within a few days of latest updates being established, however in the last few days new updates have come into view that nobody seems to have answers for.1 This report discusses different aspects of WordPress security, such as information security, breaches and possible security attacks. This report outlines a number of security aspects and possible kinds of attacks on WordPress websites. This report also discusses the reasons behind security attacks. This report will also present the potential solutions and paramours we can formulate for the effective security management while using the services of WordPress. Moreover, this report also outlines some real world examples of WordPress security and privacy breaches. Security Issues In the past few years, a lot of security issues and breaches were discovered in the software and web applications, especially in 2007 and 2008. As I researched, WordPress in April 2009 had seven un-patched web based privacy and information security advisories (out of 32 all) with an utmost score of "Less Critical". In 2007, a lot of high-profile SEO web based blogs, and a lot of low-profile profitable blogs charactering AdSense, were beleaguered and attacked by a WordPress abuse. In this scenario, divided security based vulnerability on one of the development web servers allowed a security hacker to initiate usable dirty code in the form of a back door to a number of downloads of WordPress version 2.1.1. However, the WordPress version 2.1.2 was released to deal with this problem. It was a recommended released at that time directed all the clients to improve instantly.2 In 2007, a research study outlined that 98 percent of WordPress blogs being executed were exploitable for the reason that they were operational out-of-date and using an unverified edition of the software. In June 2007, Mr. Stefan Esser, who was the initiator of the PHP Security Response Team has given an interview in which he seriously stated on the WordPress's security track record, stating issues with the system's architecture that made it gratuitously hard to write code that is protected from SQL injection vulnerabilities, and a number of further issues. Since then, WordPress has always been struggling for improving the overall privacy and security. In this scenario, the latest versions of the Wordpress offer additional features to deal with security issues. There were also some issues with the security plug-ins like that WP safety, WP safety Scan and a lot of other features.3 Attacks against WordPress This section presents an analysis of the security and privacy attacks that can be used against the WordPress website. In this scenario, the cross-site scripting is one of the most often seen web application vulnerabilities. Basically, vulnerability allows the security attackers to add dirty and malicious web scripts into the web sites. In this scenario, the malicious scripts will be executed in the web browsers of visitors to the website, in the hosting website security zone. As a result, the supplier of the web script will be able to get access to data which can be transformed or translated later on. These days, cross-site scripting is one of the most common security attack techniques utilized by the hackers. It is also known by other names such as CSS and XSS. However, in this scenario CSS does not refer to the Cascading Style Sheets that is a style sheet language used for Website design and development. In addition, the web pages that pass data to and from a database are especially susceptible to XSS attacks. These web pages can include login ids and passwords, pages having personal information forms, shopping carts that access credit card data, etc. Hence, retail, government, health care and financial Web applications are especially at risk. In addition, using a cross-site scripting a hacker can be able to take control over a user account (which is also known as cookie theft), they can redirect the clients to a fake site, or can present fake data and information on the main hosting site. Moreover, there is danger of secret data being compromised or hijacked; as a result the confidence level of clients can be gravely damaged by the cross-site scripting.4 However, WordPress 3.3.1 has offered a solution that was released to fix a cross- site scripting (XSS) issues and security based vulnerability exposed by the security researchers, Samir Shah and Aditya Modha. In addition to effectively deal with these issues of XSS, 3.3.1 addresses 15 problems within WordPress 3.3. Formerly the security vulnerability became open to public many researchers attempted to determine the exposure however they could not get any success. However, researches revealed that if WordPress is installed using an IP address the security and privacy vulnerability is exploitable. On the other hand, if WordPress is installed by means of a domain name, the website is not vulnerable. This is due to some logic with the WordPress codebase that deals with website URLs in a different way depending on whether WP_SITEURL is established or not established.5 Moreover, there is another well-known security issue that is known as the buffer overflow problem has always been linked with security and privacy based vulnerabilities. Additionally, in the past, a lot of security issues and breaches have happened because of buffer overflow. In case of such attacks there can emerge a lot of security issues which can cause serious security and privacy related problems.6 Different reasons why a hacker would target a WordPress This section tries to answer the question “why hacker would target a WordPress? Basically, the majority of hackers or bad people want to get the personal information of people. This can be possible through blogs where writers present their personal information. In this scenario, multi authored blogs, incorporate the bio-info of every writer or author at the bottom of their individual posts. This is a very high-quality method to give props to the author and offer some personal information about the user. In this scenario any person is able to assess some personal facts and can guess the password of the user.7 In this scenario, the main reason of the attacks is hacking the blog. In fact, Wordpress blogs are read by a majority of people. Hackers want to take advantage of its popularity. They hack the blog in this way the traffic coming towards that blog is directed to the hacker’s web site or an infected web site to harm the reader’s computer. In addition, the majority of SEO (Search Engine Optimization) websites tell us that placing an advertisement following the initial post on our blog’s home page is very effective. This is for the reason that the advertisement is fundamentally embedded in the blog substance, therefore our web readers are less probable to build up “ad blindness” as well as skip over the advertisement as common.8 The basic reason of hacking a Wordpress blog is to direct the traffic towards a fault page. Normally, hackers or security attackers want harm the people by getting their personal information such as usernames and passwords. An attacker can spread viruses to other systems. Securing WordPress In this section I will discuss the ways and methods that we can use for protecting and securing WordPress web sites: Stay Updated The most significant tip for protecting the self hosted WordPress sites is to stay updated. For this purpose, WordPress regularly offers new and more secure updates with security fixes. Thus, when the bloggers see an announcement in admin panel, they should not overlook it. It is the single most efficient method to protect their websites from these serous security attacks. Currently, a lot of people leave their website (as well as their client websites) un-updated for panic of breaking their themes as well as plug-ins.9 Create Custom Secret Keys All the secret data and information regarding our WordPress website is stored in the wp-config.php that is WordPress’s main and root directory. In this scenario secret keys are one of the information bits of data stored in that file, thus, one should verify that they change the default secret keys to something else.10 Change the Database Prefix Many fundamental setup objects for WordPress remain the same all through many websites, particularly if we make use of a one-step installation wizard throughout our webhost. This is a wonderful and suitable option, however plenty of widespread setup values similar to, our database prefixes, and are known to hackers. Hence, if we fail to alter the database prefix, the table names of our website’s database are simply recognized by the people who are attempting to hack our website.11 Protect wp-config.php As discussed above, the wp-config.php file keeps all the secret particulars of our site. Consequently it is essential that we protect this file at any cost. However, a simple method to protect this file is to copy the code in .htaccess file on web based server.12 Protect .htaccess File We need to protect our wp-config.php file because of its high importance for better security management, and what about protecting the .htaccess file itself? For this purpose, we can utilize the same .htaccess file to protect it from being preyed upon. It can be done by copying the code into the .htaccess file.13 Real world examples of Wordpress blogs being hacked WordPress is one of the biggest Web based blogging platforms. According to an announcement appeared on April 13, 2011, 13 hackers had been successful to break into automatic, the servers that host all the blogs operational on the WordPress online platform. Though, there is no detail of the loss and what particulars the hackers had made off however they could have potentially taken the passwords as well as source code of almost 25 million blogs and websites hosted by WordPress.14 No doubt the Wordpress is one the world’s best blogging platforms. However, there are numerous cases where Wordpress blogs have been hacked. In this scenario, Sridhar Jammalamadaka has written an article where he discussed a real world example of the Wordpress blog hacking. In this example, his blog was hacked and redirected to a malicious web site which seriously infected his computer. 15 Conclusion At the present, information security has become a serious challenge not only for the business organizations but also for the individuals. In the past few years, WordPress has appeared as a most powerful and attractive blogging platform, which has not become a significant target for hackers searching for getting over blogs for search engine optimization (SEO), hacking or illegally controlling website traffic to re-direct it and for various other reasons. This report has discussed the ways hackers can hack the Wordpress blogs. This report has also discussed the basic intentions of hackers. Of course, the Wordpress is the most popular blogging platform that’s why it attracts many hackers and security attackers as well. They carry out negative tasks to harm or to get access to personal information of the people. Bibliography ABELA, R. ‘Cross-site Scripting', Web Site Defender [web page] (2011), , accessed 12 March 2012. CATASTROPHE, ‘Web Security and Major 2011 Website Breaches’, DoitYourselfComputing, [web page] (2011), < http://doityourselfcomputing.com/website-security-and-major-2011-website-breaches/>, accessed 13 March 2012. CUBRILOVIC, N. ‘WordPress Security Issues Lead To Mass Hacking. Is Your Blog Next?’TechCrunch [Web Page](2008),, [Accessed 10 March 2012]. ETHICAL HACKER, ‘New version of Opera Released to Fix Cross-site Scripting Vulnerability', Live Hacking [web page] (2012), , accessed 12 March 2012. GROVER, S. ‘[0x0020] Buffer Overflow Attacks and Their Countermeasures’, WordPress [web page] (2010), < http://eohnik.wordpress.com/2010/09/05/0x0020buffer-overflow-attacks-and-their-countermeasures/>, accessed 13 March 2012. HONGKIAT, ‘40+ Most Wanted Wordpress Tricks and Hacks’, Hongkiat [web page] (2008), < http://www.hongkiat.com/blog/40-most-wanted-wordpress-tricks-and-hacks/>, accessed 13 March 2012. JAMMALAMADAKA, S. ‘The Story of a hacked wordpress blog and lessons learnt’, Shoutmeloud, [web page] (2012), < http://www.shoutmeloud.com/the-story-of-a-hacked-wordpress-blog-and-lessons-learnt.html>, accessed 13 March 2012. WIKIPEDIA, ‘WordPress', Wirkipedia [Web Page] (2012), , Accessed 12 March 2012. ZALA, A. ‘11 Quick Tips: Securing Your WordPress Site’, TutsPlus [web page] (2011), < http://wp.tutsplus.com/tutorials/11-quick-tips-securing-your-wordpress-site/>, accessed 13 March 2012. Read More