Survey Finds Most WordPress Blogs Vulnerable

BlogSecurity writes "Security analyst David Kierznowski shocked bloggers yesterday with a survey showing that 49 out of the 50 WordPress blogs he checked seem to be running exploitable versions of the widely used software. He said, 'The main concern here is the lack of security awareness amongst bloggers with a non-technical background, and even those with a technical background.' Mr Kierznowski also uncovered recent vulnerabilities in WordPress plugins that ship by default with the software, adding: 'WordPress users developing plugins must be aware of the security functions that WordPress supports, and ensure that these functions are used in their code.'"

Re:How do you fix it?

[packetmon]

I should have included the fix for the ASCIIZ bypass... So here goes..

SecRule REQUEST_BODY "@validateByteRange 1-255" "log,deny,phase:2,t:none,msg:'ModSecurity ASCIIZ Evasion Attempt'"

Now back to a response... My point is that you responded to a request from an end user with the wrong solution. It's not a solution for a single end user running WP in a shared hosting environment or virtual machine

You must be kidding? I have about 15 other sites hosted on the same box and my rules affect no one but my own site.

Plus mod security requires you know how the web app works before you can write the rules at that point it's as easy to patch the software itself for a single install.

So let me put this in logical terms via way of analogy... You want someone to just point and click run an application without them knowing a shizzle about how it works and why... They just want it up and running... Then at the same time you expect them to be savvy enough to 1) monitor for updates, 2) install those updates... So how different is this from me stating... By the way, here is an even SLICKER method for making SURE no one is going to touch your machine. Heck I could have avoided using mod_security and used .htaccess with a proxy server set to only allow localhost then do updates via ssh and links... Thats the fullproof method.

Regardless of the software I throw up, its UP TO ME as a USER to make sure MY IMPLEMENTATION of software is secure enough for ME. No vendor, FOSS developer person on the planet will release a patch in quick enough time for me. Hence security being pre-emptive and proactive. So I could care less if product_foo has updated versions or not. And one would have to be an ass to wait for a vendor to release a patch if there is something they could do to protect themselves in the interim... So analogy... Your house is starting to burn... You have a fire extinguisher near you and you dial 911... Do you a) wait for 911 to get their or b) try to do something in the interim. I don't know about you but I'm trying to put that fire out before my house burns. Fire department can get here when they do.

Your ubuntu article overstates itself, sandboxing grannies activities and protecting sudoers/wheel is a good idea. You wrote an alarmist article that is almost indistinguishable from FUD.

You're free to prove me wrong... Show factual information. I gave facts and proof.