An interesting study about WordPress security...

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
11,499
Reaction score
9,995
Credits
95,342
PDF warning: https://sucuri.net/wp-content/uploads/2022/04/22-sucuri-2021-hacked-report.pdf

Now, before you read this and think those numbers are large - there are over 455 *million* WordPress sites out there (out of 1.3 *billion* web sites). The numbers include other CMS applications - like Drupal and Joomla.

For reasons, one of my hosting clients recently had their WP end up compromised - using their monthly allotment of bandwidth pretty quickly from the little forensic examination I did. Worse, it wasn't even one that they were really using. (I'll avoid details.)

WordPress can be a wonderful thing - once you figure out how to use it *and* figure out how to secure it. One of the key security processes is to ensure everything is updated - use automatic updates *and* verify that it's doing so by checking in now and again, and that will eliminate a bunch of problems. And, really, only use plugins/themes you need and check ratings/comments before installing them. More plugins and themes means more chances for vulnerabilities.

Anyhow, in the report there are some large numbers - but those numbers aren't really that large and getting hacked can usually be prevented with due diligence. Anything will get hacked if someone puts enough effort into it. Most hacks are fairly automated these days. My Linux-Tips site gets thousands of attacks every month, and it's not even all that popular.

This is a weekly report from just one layer of security (I have multiple layers, each catching different things.)

2022-04-29_10-21.png


So, that's not complete. It is however the bulk of them.

Anyhow, I'd read the report even if you don't use WordPress. There's some pretty interesting information in it.

Again:

Website administrators using automatic plugin updates were among those with the lowest risk.

I decided to post this to off-topic, as it doesn't quite fit in any other topic. While it is security related, it's not necessarily Linux related - inasmuch as keeping PHP up to date is something you should do regardless of which OS you're using for your server.
 


The odd thing about WordPress is that MySQl or equivalent is used to store user names and password. Now if anybody wanted to get those passwords they would not need to get access to the database simply because via some software you can simply tell WordPress to get for instance user login names and reveal them. A native install of WordPress has no security in this regard. You would be quite shocked at some at Gov level , Africa that do not know this.
 
Passwords aren't stored in plain text. They're hashed and salted. Access to the database will only reveal what the entered password is checked against and not the password.

Usernames are in plain text.

You can block user-enumeration, if you want. I prefer a more robust solution - like 2FA and stripping out the ability to brute force the site. So far, so good - but I have a ton of WP experience. I did a client's setup in like 30 minutes - but that was just settings and plugins/plugin configurations. It was amazing how fast I can do it now. (I can also cheat and export settings from an existing install, saving quite a bit of manual configuration time.)

I should probably streamline it further and charge money. ;-)

(I really, really don't want to spend my time doing WP installs and I don't really need the extra income. So, that's not gonna happen. Or at least it's really unlikely to happen.)
 

Members online


Latest posts

Top