Survey Finds Most WordPress Blogs Vulnerable 82
BlogSecurity writes "Security analyst David Kierznowski shocked bloggers yesterday with a survey showing that 49 out of the 50 WordPress blogs he checked seem to be running exploitable versions of the widely used software. He said, 'The main concern here is the lack of security awareness amongst bloggers with a non-technical background, and even those with a technical background.' Mr Kierznowski also uncovered recent vulnerabilities in WordPress plugins that ship by default with the software, adding: 'WordPress users developing plugins must be aware of the security functions that WordPress supports, and ensure that these functions are used in their code.'"
Securing LAMP (Score:5, Informative)
SecFilterSelective REQUEST_URI
SecFilterSelective REMOTE_ADDR "!^YOUR.IP.ADDRESS$" redirect:http://www.infiltrated.net/sorry.jpg
SecFilterSelective ARG_username YOURUSERNAME chain
SecFilterSelective REMOTE_ADDR "!^YOUR.IP.ADDRESS$" redirect:http://www.infiltrated.net/sorry.jpg
Where your IP address and your username are the only ones to allow anything to the admin page. Anything else gets redirected elsewhere.
Time to upgrade again (Score:3, Informative)
http://codex.wordpress.org/Upgrading_WordPress [wordpress.org]
SQL injection? (Score:3, Informative)
Re:How do you fix it? (Score:5, Informative)
Block Spam injections [pathf.com]
Directory traversal attacks SecFilter "\.\./"
XSS attacks
SecFilter "<(.|\n)+>"
SecFilter "<[[:space:]]*script"
SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
Too many times there are clueless admins (not you per se). But this also tends to be one of the grips on the Ubuntu Document [infiltrated.net] people flame me for. If *semi* even experienced admins can't lock a machine down... Imagine when Ubuntu on Dell becomes the next hot thing. Flame as much as you'd like facts are facts
Re:How do you fix it? (Score:2, Informative)
Users should 'fix' wordpress by keeping upto date with the latest stable versions of PHP and wordpress; security is a process and not a product. Personally I wouldn't use wordpress, it may be one of the better written PHP web-apps but unfortunately that isn't saying much at all.
Re:How do you fix it? (Score:1, Informative)
Instructions on upgrading WordPress. [wordpress.org]
This assumes you control where your site is hosted. If it's a WP install provided by your hosting provider, ask them if they're up to date, and if not nag them until they are.
(Now to see if posting AC cancels the mod points I'd already used here.. Ooh, a CAPTCHA!)
HTH, NickFitz.
Re:How do you fix it? (Score:1, Informative)
Hmm, perhaps Wordpress.com [wordpress.com]? I'm fairly certain that they offer hosting on your domain name now, not just at username.wordpress.com.
(Not a shill, just trying not to undo my moderations.)