As a content management platform, WordPress is
tremendously popular among users because it is so easy to use. The thing
is, it's a popular target for criminals and attackers, too. If you have
a WordPress site, you need to take some basic steps to secure your
site.
DDoS with WordPress
While there is always the concern that your WordPress site can be hacked to serve up malware to your site visitors, or redirect them to a dodgy site elsewhere on the Web, you also don't want to find out that your site is being used to launch attacks against other sites. Earlier this week, security firm Sucuri reported that more than 162,000 WordPress sites had been tricked into participating in a distributed denial-of-service attack against another site.
The thing is, the sites weren't hijacked or infected to form a botnet. The attackers abused Pingbacks, a perfectly legitimate feature in WordPress, to flood the targeted site with unwanted traffic. Pingbacks are used by one WordPress site to notify other sites when a post linked to them. In the attack observed by Sucuri, the attacker tricked the sites into sending a Pingback request to the same target URL, which was easy to do since Pingback is enabled by default in WordPress. The targeted site was suddenly bombarded with Pingback requests, which essentially mounted to a DdoS attack.
If you are running WordPress, you should consider turning off Pingbacks to make sure your site can't be used to attack other sites. The feature notifies you when someone else is talking about you, which is a nice ego-booster, but is it worth keeping it around to be abused? Sucuri has suggestions on how to block pingbacks on its site.
Leaky WordPress
Dave Lewis, a senior security advocate with Akamai Technologies, used Google to find over 111,000 WordPress sites whose database backups were accessible from the Internet. The list included "all manner of websites from independent music sites to doctor offices and even some government websites," Lewis wrote on his CSO blog. The dump contained detailed information about the database, which attackers could use to launch other attacks, but also a potential leak of your data.
Obviously, backups should not be accessible from the Internet. If backups are running locally on the same server WordPress is installed on, then plugins from Wordfence or Sucuri can block unauthorized access, Lewis said.
Outdated WordPressThe most important task for WordPress administrators is to stay on top of software updates, not just for the core platform, but for each of the plugins running on the site. Outdated versions of WordPress are constantly under attack, especially the plugins. "Malicious hackers are always looking for ways to infect computer users, and what better technique can there be than to compromise an existing, legitimate website and subvert it in such a way that it sneakily infects computer users when they visit it," said security consultant Graham Cluley.
Attackers can exploit unpatched flaws to perform SQL injection or cross-site scripting attacks. The flaws can also be exploited to infect the site with malware. For the most part, these issues are generally the result of problems with plugins, not the core software platform, making it even more critical that plugins are regularly updated.
It's important to note the difference between sites hosted on WordPress.com and WordPress sites that run on other servers. The team behind WordPress keeps the software up-to-date on WordPress.com, so that individual users don't have to. Self-hosted sites require the site owner to stay on top of patches and updates to make sure the software remains current.
If you are going to run WordPress, keep ahead of the attackers by keeping your site updated regularly.
DDoS with WordPress
While there is always the concern that your WordPress site can be hacked to serve up malware to your site visitors, or redirect them to a dodgy site elsewhere on the Web, you also don't want to find out that your site is being used to launch attacks against other sites. Earlier this week, security firm Sucuri reported that more than 162,000 WordPress sites had been tricked into participating in a distributed denial-of-service attack against another site.
The thing is, the sites weren't hijacked or infected to form a botnet. The attackers abused Pingbacks, a perfectly legitimate feature in WordPress, to flood the targeted site with unwanted traffic. Pingbacks are used by one WordPress site to notify other sites when a post linked to them. In the attack observed by Sucuri, the attacker tricked the sites into sending a Pingback request to the same target URL, which was easy to do since Pingback is enabled by default in WordPress. The targeted site was suddenly bombarded with Pingback requests, which essentially mounted to a DdoS attack.
If you are running WordPress, you should consider turning off Pingbacks to make sure your site can't be used to attack other sites. The feature notifies you when someone else is talking about you, which is a nice ego-booster, but is it worth keeping it around to be abused? Sucuri has suggestions on how to block pingbacks on its site.
Leaky WordPress
Dave Lewis, a senior security advocate with Akamai Technologies, used Google to find over 111,000 WordPress sites whose database backups were accessible from the Internet. The list included "all manner of websites from independent music sites to doctor offices and even some government websites," Lewis wrote on his CSO blog. The dump contained detailed information about the database, which attackers could use to launch other attacks, but also a potential leak of your data.
Obviously, backups should not be accessible from the Internet. If backups are running locally on the same server WordPress is installed on, then plugins from Wordfence or Sucuri can block unauthorized access, Lewis said.
Outdated WordPressThe most important task for WordPress administrators is to stay on top of software updates, not just for the core platform, but for each of the plugins running on the site. Outdated versions of WordPress are constantly under attack, especially the plugins. "Malicious hackers are always looking for ways to infect computer users, and what better technique can there be than to compromise an existing, legitimate website and subvert it in such a way that it sneakily infects computer users when they visit it," said security consultant Graham Cluley.
Attackers can exploit unpatched flaws to perform SQL injection or cross-site scripting attacks. The flaws can also be exploited to infect the site with malware. For the most part, these issues are generally the result of problems with plugins, not the core software platform, making it even more critical that plugins are regularly updated.
It's important to note the difference between sites hosted on WordPress.com and WordPress sites that run on other servers. The team behind WordPress keeps the software up-to-date on WordPress.com, so that individual users don't have to. Self-hosted sites require the site owner to stay on top of patches and updates to make sure the software remains current.
If you are going to run WordPress, keep ahead of the attackers by keeping your site updated regularly.
No comments:
Post a Comment