Well, talking about WordPress, it's a popular content management system among bloggers but we can't rule out the fact that during the last couple of years several security flaws have been detected within its system.
Firstly, many users do not update their WordPress template to the latest version and therefore, their site is vulnerable. According to some recent stats 70% of malware is able to access websites because their software is not up-to-date.
Secondly, WordPress users use many plugins and themes which also needs to be updated and maintained from time to time. For example - the TimThumb.php script which had a few flaws and was used by hackers to gain access to some sites.
Many such security intrusions have taken place within the last one year. Most hacks are focused on gaining administrative access by cracking a site's login details. The hackers keep on trying out thousands of passwords until they have found the right ones. Some hackers also use the technique involving pingbacks which is basic WordPress functionality which is now being used to execute large scale DDoS attacks.
Pingbacks are really simple. Most of us use them in fact. It works something like this, for example - you own website 'A' and you publish a guest post from website 'B' with its link. In return, website 'B' gives you a link back, you automatically receive a pingback that notifies you about the link back and in order to check if the link back is real you visit website 'B'.
Hackers hack a website and send pingbacks to other websites. The recipient, without knowing the that link is a threat, visits the website that has sent it. When this happens on large scale, it can flood the victim site with HTTP requests and cause a DDoS attack. (Read about one such attack here)
Wondering how can you make your site attack proof, for say?
- Getting in touch with expert consultancies with experience in dealing with such attacks. Though this is a long process and your business can suffer in between.
- Block the pingback threats by logging into the web hosting control panel and either delete or rename 'xmirpc.php' within the root directory of the WordPress installation. As simple as that!
Well, the above two are the easiest options that we can try, in time but keep in mind there are so many other things you can do like taking the help of security services like Trustwave, etc., conducting security scan of your website from time to time, checking for loopholes, installing plugins and much more.
(Source)
(Source)
For regular updates from E-junkie subscribe to our RSS feed.
Did you drop your April Fool's Day article a few months early? Not only is WP updated frequently, but they publish a roadmap here: http://wordpress.org/about/roadmap/
WP is updated three times a year. The next release will be 3.9 in April, then 4.0 in August and 4.1 in December. All my sites received 3.8 in December and just updated to 3.8.1 this week. The incremental updates are small and generally address security issues since the last major release.
You can never make a site "attack-proof". If someone wants to take down your site, they will. That's true with WP, Joomla, Drupal, or any custom CMS you design. It's also a bit disingenuous to suggest that the only two options for hardening your site is to pay a consultancy or to block pingbacks.
There are hundreds of good plugins, and thousands of decent ones, that will reduce your chances of losing a site to an attack.
WP publishes a great guide to hardening WP in the Codex: http://codex.wordpress.org/Hardening_WordPress
Jeez E-Junkie, a little more research could have made this a great article.
Thanks for sharing your thoughts with us.
We too are totally aware of the WP update cycle and there's no doubt that they are doing a great job with it. What we meant here was that it's the WP users who don't update their template version to the latest and therefore, their site might be vulnerable. We know that no site is 'attack proof' and any site can be taken down anytime. The two suggested options are just a few of the many things that people can do in, order to secure their site.
FYI, here's the detailed database of some WP: Security Vulnerabilities - http://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/