Why Update Your Blog: WordPress Vulnerabilities You Should Be Aware Of

Ads by Google

Wordpress Vulnerabilities Intro   Why Update Your Blog: WordPress Vulnerabilities You Should Be Aware OfI have a lot of great things to say about WordPress. It’s an internationally popular piece of open source software that allows anyone to start their own blog or website. It’s powerful enough to be extensible by seasoned coders, yet simple enough that tech-illiterate people can still benefit from it. We even have a mini-guide for starting your own WordPress site.

However, as with all Internet-related software, there will always be security holes that need patching. Even when past holes are fixed, new features will inevitably introduce new holes, and then those holes need to be fixed. It’s a process that never ends, which is why it’s so important for you to update your WordPress regularly.

Updating WordPress is the best way to patch the latest WordPress security vulnerabilities. What sorts of security vulnerabilities? Here’s an overview of the most common ones you’ll encounter.

1. Default Admin Account

wordpress admin default   Why Update Your Blog: WordPress Vulnerabilities You Should Be Aware Of

When you first install WordPress, your basic administrator account will be called “admin” with an equally simple password. Keeping security credentials at their default settings can be a big vulnerability because hackers and crackers will know what those default settings are and, thus, will exploit them with ease.

Ads by Google

Actually, this isn’t a problem unique to WordPress. Anything that comes with product-wide default access credentials (such as router logins or phone unlock codes) will inherently have this WordPress vulnerability. But while routers and phones usually require your physical presence for mischief, anyone can potentially hack your WordPress site as long as they have the URL.

So what can you do? The easiest solution is to create a new administrator account on your WordPress site and delete the default “admin” account. This leaves no predictability in terms of administrator access.

2. Default Database Prefixes

wordpress database prefixes   Why Update Your Blog: WordPress Vulnerabilities You Should Be Aware Of

When WordPress is first installed, the database tables are named with a default prefix of wp_. This is done so that all of the tables remain organized in your database in case you’re working with other software packages in the same database. The wp_ signifies that those specific tables are related to WordPress.

But here’s the catch – if a hacker is attempting to mess with your WordPress site, then this bit of predictability automatically makes him one step closer to tampering with your database tables. By knowing the names of your database tables, a hacker can manually poke at it until he gains access.

Think of it this way. Suppose a thief wants to steal something from your home but your home is equipped with special doors that have hidden keyholes until you call out the right “name” for that door. If the thief knows that your door’s name is “Sandy”,  then all he needs to do is pick the lock, but if the thief doesn’t know your door’s name, he needs to first figure that out somehow before he can even start to pick it.

So what can you do? Simple. WordPress allows you to install using a table prefix that is different from the default prefix.

3. Accessible Files & Directories

wordpress file permissions   Why Update Your Blog: WordPress Vulnerabilities You Should Be Aware Of

With any website, the number of files that you actually want users to access is far smaller than the number of files that are necessary to power that website. You may have a lot of function files, class files, template files, configuration files, and more – none of which should be publicly available. The same is true for directories.

Using CHMOD, you can set permissions on various files and directories to prevent unwanted users from accessing sensitive materials. If a user had access to your configuration file, for example, he could tamper with your WordPress settings and break your website. WordPress is vulnerable when your website’s files and directories aren’t secured behind proper permission settings.

So what can you do? I actually had to deal with this problem recently, and the fix isn’t too difficult. Make sure that your WordPress installation is in accordance to the WordPress permission scheme.

4. SQL Injections & Hijacking

wordpress sql injection   Why Update Your Blog: WordPress Vulnerabilities You Should Be Aware Of

SQL injections are not unique to WordPress; in fact, they are one of the most common (and destructive) forms of web server attacks in the world. Not familiar with the term? Give my introduction to SQL injections article a quick peek to give yourself a basic understanding of the problem.

In essence, WordPress has had a few SQL injection security holes in their code over the years. Some have been patched while others remain uncovered or undetected. If a hacker gains access to one of these holes, he can inject malicious SQL code into your database, which can be used to steal data or just delete it altogether.

So what can you do? Well, here’s the catch – if you aren’t well-equipped enough to know how to defeat SQL injections, then you probably don’t have the technical know-how for building up a protection in the first place. You can probably look around for WordPress plugins that might address potential injection holes, but most users will simply need to wait for the next WordPress security patch.

Recommended Plugins

  • WP Security Scan – this plugin will scan your website setup and look for potential security vulnerabilities. It covers all sorts of areas from file permissions to database holes to password management and more.
  • WordPress File Monitor Plus – in case someone has gained access to your site’s file structure, this plugin will let you know. It regularly monitors your system’s files and directories and makes note of any discrepancies.
  • WordPress Firewall 2 – this plugin sets up a metaphorical wall around your site, scanning all inputted data and traffic for malicious intent. It’s pretty good at preventing attacks like SQL injections and other database attacks.
  • Wordfence – Wordfence is something of an all-in-one security suite plugin that includes malicious attack protection, anti-virus scanning, a firewall, and more. Definitely worth a try.

Conclusion

While WordPress may be both open source and widely popular, that doesn’t mean it isn’t without its flaws. WordPress vulnerabilities pop up from time to time and when one is fixed, another one is usually right around the corner. With careful monitoring and preventative steps, you can minimize the risk that your WordPress site faces.

Ads by Google
Check out more about:

10 Comments - Write a Comment

Reply

Choon Khai

I have been using WordPress for awhile, and this is really an eyeopener to me! Never thought that such trivial matters could really change everything.

Reply

Nevzat Akkaya

It’s scary to have a serious security bug on your precious blog. One should always check the logs, bandwidth usage and always get backups to protect against data loss.

Joel Lee

I cannot emphasize enough the importance of backups! Eventually something bad will happen to your blog and you’re going to wish you had a recent backup or else you’re going to lose a lot of data PERMANENTLY. Good point!

Reply

Alexander Carstensen

I am currently using WordPress, and i am definately going to fix these vulnerabilities !

Reply

Mac Witty

Thanks, updates can never never be emphasized enough! Then if you are a person who do not visit your wp-installation every day it might be a good idea to set up google analytics alerts for a couple of the most used “spam words”. Then you will be noticed very soon if your site has been hacked. Maybe a MUO guide how to do it could be something?

Joel Lee

Interesting idea with the Analytics alerts. Will have to think about that for a bit. Thanks!

Reply

Rama

One thing, the first point about “admin” where the author states “When you first install WordPress, your basic administrator account will be called “admin” with an equally simple password.” Is absolutely and totally false, obviously the author has never installed WordPress. What happens by default, it the installer is prompted to enter any name for the administrative account, an email address and a password.

Reply

Shmuel Mendelsohn

Thanks so much MUO – you got me started with Word Press, and now you continue to help me!

Reply

Ron Lister

Has anyone at MUO ever tried out Drupal. I’m just starting out with it.

Joel Lee

I gave it a shot once (maybe 1-2 years ago) and it seemed much more convoluted than WordPress with very little benefit. I think in terms of free PHP CMS, WordPress would be my #1 choice followed by Joomla.

Your comment