In
regards to questions on my post about Wordpress blogs. Number
one let me make perfectly clear as stated in the post “Wordpress
is an impressive software package that allows individuals with
minimal understanding of web design to put together a web site
rapidly, and for personal use it is unmatched”
The
second thing I should mention is that just because your wordpress
site has not been defaced that does not mean it could not be or has
not been hacked. Hackers attack sites and applications for various
reasons, weather that be to test their skill set, deface sites with
their tags and graphics, site hijacking, scanning databases for
personal information, and the list of reasons go on and on. Doing a
simple search of wordpress hacked will bring back thousands of
results with most of them pointing to information on how to recover
from a hacked wordpress site. Trust me all the various security gurus
out there would not of taken the time to cover the topic in such
great detail if it was not a major issue.
Yes
Wordpress is an open source software package. What that means is the
easy of developers to tweak code and/or add custom plug-ins is
available. What that also means is the hackers don't have to do much
work to know the layout of your site's files, the structure of your
database, where your site upload pages are, which pages include your
database connection information, which pages contain your data
queries, etc.. Again running a simple website or blog that is not
collection user information, and is updated regularly is not at great
risk but it is still at risk.
Recovering
from a compromised site can be a costly and time consuming project.
Having
worked as an application security & development annalist for over
the last 20 years, I can not begin to count the number of people who
I have had to help recover from a wordpress hacked site. Sadly most
of them were running simple little sites that really had no need for
all the bloated code that comes in a premade cms template. All that
being said I'm not going to ask anyone to take my word for it each
individual should do their own due diligence and research the topic
for themselves. Here are some great links to get you started.
OWASP vulnerabilities relevant to WordPress
http://security.stackexchange.com/questions/29930/what-vulnerabilities-in-the-owasp-top-10-are-relevant-to-wordpress
WordPress.org information on recovering from database hack
http://wordpress.org/support/topic/post-hack-database-inspection-and-cleanup
WordPress.org Listing of Maintenance and Security updates
http://wordpress.org/news/category/security/
RandomStorm
Backtrack cross site scripting information
General
search on wordpress vulnerabilitieshttps://www.google.com/webhp?sourceid=chrome-instant&ion=1&ie=UTF-8#sclient=psy-ab&q=wordpress+vulnerabilities&oq=wordpress+vulnerabilities&gs_l=hp.3...28983.34982.3.35638.25.18.0.0.0.0.1899.4182.7-2j1.3.0...0.0.0..1c.1.17.psy-ab.D9vt-O6DoYs&pbx=1&bav=on.2,or.r_cp.r_qf.&bvm=bv.47810305,d.dmg&fp=82bd76d54945d297&ion=1&biw=1680&bih=935
