Servage Magazine

Information about YOUR hosting company – where we give you a clear picture of what we think and do!

WordPress vulnerabilities

Wednesday, August 21st, 2019 by Helge

In the last post, Servage gave some hints and tips how to speed up your WordPress. Since Servage is a perfect WordPress hoster and many of our customer run that application, we like to address some WordPress vulnerabilities in this blog.  Wordpress_securityPlease note that we can’t give a full and complete overview of that subject in this post. We can only give some hints and some more general information.  In the following you see a brief “historical” overview of security issues in the past and about the fixes to give you an idea what happened within the last years For more and detailed information and for recent potential issues, please contact the official WordPress COMMUNITY and specially the subsection about SECURITY

Many security issues have been uncovered in the software, particularly in 2007, 2008, and 2015. According to Secunia, WordPress in April 2009 had seven unpatched security advisories (out of 32 total), with a maximum rating of “Less Critical”. Secunia maintains an up-to-date list of WordPress vulnerabilities. In January 2007, many high-profile search engine optimization (SEO) blogs, as well as many low-profile commercial blogs featuring AdSense, were targeted and attacked with a WordPress  exploit. A separate vulnerability on one of the project site’s web servers allowed an attacker to introduce exploitable code in the form of a back door to some downloads of WordPress  2.1.1. The 2.1.2 release addressed this issue; an advisory released at the time advised all users to upgrade immediately.

In May 2007, a study revealed that 98% of WordPress blogs being run were exploitable because they were running outdated and unsupported versions of the software. In part to mitigate  this problem, WordPress made updating the software a much easier, “one click” automated process in version 2.7 (released in December 2008). However, the filesystem security settings  required to enable the update process can be an additional risk. In a June 2007 interview, Stefan Esser, the founder of the PHP Security Response Team, spoke critically of WordPress’ security track record, citing problems with the application’s architecture that made it unnecessarily difficult to write code that is secure from SQL injection vulnerabilities, as well as some other problems. In June 2013, it was found that some of the 50 most downloaded WordPress plugins were vulnerable to common Web attacks such as SQL injection and XSS. A separate inspection of the top-10 e-commerce plugins showed that seven of them were vulnerable. In an effort to promote better security, and to streamline the update experience overall, automatic background updates were introduced in WordPress 3.7. Individual installations of WordPress can be protected with security plugins that prevent user enumeration, hide resources and thwart probes. Users can also protect their WordPress installations by taking steps such as keeping all WordPress installation, themes, and plugins updated, using only trusted themes and plugins,[100] editing the site’s .htaccess configuration file if supported by the web server to prevent many types of SQL injection attacks and block unauthorized access to sensitive files. It is especially important to keep  WordPress plugins updated because would-be hackers can easily list all the plugins a site uses, and then run scans searching for any vulnerabilities against those plugins.  If vulnerabilities are found, they may be exploited to allow hackers to upload their own files (such as a PHP Shell script) that collect sensitive information. Developers can also use tools to analyze potential vulnerabilities, including WPScan, WordPress Auditor and WordPress Sploit Framework developed by 0pc0deFR. These types of tools research known vulnerabilities, such as a CSRF, LFI, RFI, XSS, SQL injection and user enumeration. However, not all vulnerabilities can be detected by tools, so it is advisable to check the code of plugins, themes and other add-ins from other developers.

In March 2015, it was reported by many security experts and SEOs, including Search Engine Land, that a SEO plugin for WordPress called Yoast which is used by more than 14 million users worldwide has a vulnerability which can lead to an exploit where hackers can do a Blind SQL injection. In January 2017, security auditors at Sucuri identified a vulnerability in the WordPress REST API that would allow any unauthenticated user to modify any post or page within a site running WordPress 4.7 or greater. The auditors quietly notified WordPress developers, and within six days WordPress released a high priority patch to version 4.7.2 which addressed the  problem  The canvas fingerprinting warning that is typically given by Tor Browser for WordPress-based websites. As of WordPress 5.2, the minimum PHP version requirement is PHP 5.6, which was released on August 28, 2014, and which has been unsupported by the PHP Group and not received any security  patches since December 31, 2018.In the absence of specific alterations to their default formatting code, WordPress-based websites use the canvas element to detect whether the browser  is able to correctly render emoji. Because Tor Browser does not currently discriminate between this legitimate use of the Canvas API and an effort to perform canvas fingerprinting, it  warns that the website is attempting to ‘extract HTML5 canvas image data’. Ongoing efforts seek workarounds to reassure privacy advocates while retaining the ability to check for  proper emoji rendering capability.

Now, after reading about vulnerabilities, you may ask yourself how you can secure your current WordPress. There are quite a few ways. It is good that you host your WordPress at Servage! Via our system, you have easy access to the backend, frontend and database of your application. If you want to make changes in the settings, it is easy and simply via your Servage control panel. In case of questions related to that, please either open a support ticket via your Servage control panel or open a live chat (you find the live chat button on each page in your Servage control panel, and on www.servage.net. Further hints and information about how to secure your WordPress, please check the above links or take a look HERE

WordPress vulnerabilities, 4.7 out of 5 based on 3 ratings
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

No comments yet (leave a comment)

You are welcome to initiate a conversation about this blog entry.

Leave a comment

You must be logged in to post a comment.