dotDefender V4.26 for Linux WordPress customized includes new mechanism for rules templates, and integrated WordPress rules. Download this new version here.
WordPress owes much of its success to the fact that it is and easy to use application and, thanks to its five minute installation, easy to get up and running. Just about anyone who can patiently sit through a few clicks of the mouse can begin publishing via WordPress in a matter of minutes.
With over 9.7 million active installations of WordPress and 32 of the Technorati Top 100 blogs of 2009 using the application for either self-hosted blogs or blogs hosted on WordPress.com, it is easy to say that WordPress is by far the most popular blogging system in existence.
Even though it is the choice of so many bloggers, WordPress is not without its problems. These problems generally surround the security of the application itself. Over the years, blogs running WordPress have been the targets of multiple attacks designed to deface the web site, interrupt service, or steal sensitive data.
According to the National Vulnerability Database, WordPress went from 2 known vulnerabilities in 1988 to 5,733 in 2009. In the first month of 2010, 377 vulnerabilities were already discovered. These came months after a recent update of the software that dealt with specific vulnerabilities found in the previous version of the software.
Unfortunately, most people who install WordPress don't give security a second thought. Many of them are under the impression that since they don’t house financial information or sensitive user information, their blog is not a target for attack. This, however, was disproved by recent attacks where blogs were infected with a worm that created a hidden administrator account on the blog. Additionally, the attack inserted spam and malicious links into postings hosted on the blog. Did this attack result in a Denial of Service or data theft, no. But that was its intent. By infecting a large number of sites, the chances that unsuspecting visitors would fall for their spam or malicious links made everyday blogs a perfect target for this campaign.
This link injection attack not only made the cyber criminals a good chunk of money, but it seriously hurt the infected blog’s search engine position because once the spiders found the spam and malicious links, these sites were flagged by Google and the others.
The one thing that any publisher using WordPress needs to do to secure their site is to update their software whenever one is available. Fortunately, WordPress has made this easy to do through the dashboard by simply clicking on the WordPress 2.x.x update is available link found at the top of the page.
Keeping WordPress up-to-date is a start, and while it may be the most effective step you take in securing your blog, it is not the only one. To secure WordPress, it is also recommended that you:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
order deny,allow
deny from all
# allow address 1
allow from xx.xx.xx.xx
# allow address 2
allow from xx.xx.xx.xx
(Special thanks to wpbeginner.com for the code found in Protect Your Admin folder in WordPress by Limiting Access in .htaccess)
After reading this, many people may second guess their decision to install WordPress. However, that is not the intent of this warning. WordPress powers millions of blogs, and those that take security seriously run for years without any incident. Failure to protect any web application will result in the site being attacked. WordPress is no more susceptible than Joomla!, Moodle, MediaWiki, Drupal, or even a standard HTML powered site. Although its popularity does make it a bigger target, smart WordPress administrators will rise to these challenges and continue to provide blogs with great content in an environment that has been hardened against attack.
Database Security Best Practices
Vendor Lock In or Ignorant Design?
Ponemon State of Web Application Security Report
Please Wait... |