Survey Finds Most WordPress Blogs Vulnerable

BlogSecurity writes "Security analyst David Kierznowski shocked bloggers yesterday with a survey showing that 49 out of the 50 WordPress blogs he checked seem to be running exploitable versions of the widely used software. He said, 'The main concern here is the lack of security awareness amongst bloggers with a non-technical background, and even those with a technical background.' Mr Kierznowski also uncovered recent vulnerabilities in WordPress plugins that ship by default with the software, adding: 'WordPress users developing plugins must be aware of the security functions that WordPress supports, and ensure that these functions are used in their code.'"

Securing LAMP

[packetmon]

Securing LAMP Mod Security Its so simple a fix with mod_security...

SecFilterSelective REQUEST_URI /admin.php chain
SecFilterSelective REMOTE_ADDR "!^YOUR.IP.ADDRESS$" redirect:http://www.infiltrated.net/sorry.jpg
SecFilterSelective ARG_username YOURUSERNAME chain
SecFilterSelective REMOTE_ADDR "!^YOUR.IP.ADDRESS$" redirect:http://www.infiltrated.net/sorry.jpg

Where your IP address and your username are the only ones to allow anything to the admin page. Anything else gets redirected elsewhere.

Time to upgrade again

[umrguy76]

At least the WordPress site offers easy to follow directions.

http://codex.wordpress.org/Upgrading_WordPress

SQL injection?

[tcopeland]

An article about a Wordpress vulnerability from last month sounded like a SQL injection flaw, and Secunia has a bunch listed here. Mostly DOS and cross-site scripting... plus some "unspecified"...

Re:How do you fix it?

[packetmon]

http://www.infiltrated.net/docs/modsecips.html step by step... If its your own server... If not have the admin slap on mod_security for you and add the same rules in my previous post on this page... www.infiltrated.net/admin.php go for it... That's how I add content. There are a lot of variables to prevent against injections, etc.

Block Spam injections

Directory traversal attacks SecFilter "\.\./"

XSS attacks
SecFilter "<(.|\n)+>"
SecFilter "<[[:space:]]*script"

SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"

Too many times there are clueless admins (not you per se). But this also tends to be one of the grips on the Ubuntu Document people flame me for. If *semi* even experienced admins can't lock a machine down... Imagine when Ubuntu on Dell becomes the next hot thing. Flame as much as you'd like facts are facts

Re:How do you fix it?

Mod security is an even bigger joke than your ubuntu article! No web app should be vulnerable to directory traversal, XSS or SQL injection in 2007. If developers have made these simple mistakes, there's a strong possibility they made others that a band-aid will not fix.

Users should 'fix' wordpress by keeping upto date with the latest stable versions of PHP and wordpress; security is a process and not a product. Personally I wouldn't use wordpress, it may be one of the better written PHP web-apps but unfortunately that isn't saying much at all.

Re:How do you fix it?

Instructions on upgrading WordPress.

This assumes you control where your site is hosted. If it's a WP install provided by your hosting provider, ask them if they're up to date, and if not nag them until they are.

(Now to see if posting AC cancels the mod points I'd already used here.. Ooh, a CAPTCHA!)

HTH, NickFitz.

Re:How do you fix it?

Can anyone recommend a good, high quality, WordPress hosting company that handles all the tech work and just lets her handle the content?

Hmm, perhaps Wordpress.com? I'm fairly certain that they offer hosting on your domain name now, not just at username.wordpress.com.

(Not a shill, just trying not to undo my moderations.)