• We did not send an email asking for donations - please read this post.

An interesting study about WordPress security...

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
7,432
Reaction score
6,407
Credits
60,265
PDF warning: https://sucuri.net/wp-content/uploads/2022/04/22-sucuri-2021-hacked-report.pdf

Now, before you read this and think those numbers are large - there are over 455 *million* WordPress sites out there (out of 1.3 *billion* web sites). The numbers include other CMS applications - like Drupal and Joomla.

For reasons, one of my hosting clients recently had their WP end up compromised - using their monthly allotment of bandwidth pretty quickly from the little forensic examination I did. Worse, it wasn't even one that they were really using. (I'll avoid details.)

WordPress can be a wonderful thing - once you figure out how to use it *and* figure out how to secure it. One of the key security processes is to ensure everything is updated - use automatic updates *and* verify that it's doing so by checking in now and again, and that will eliminate a bunch of problems. And, really, only use plugins/themes you need and check ratings/comments before installing them. More plugins and themes means more chances for vulnerabilities.

Anyhow, in the report there are some large numbers - but those numbers aren't really that large and getting hacked can usually be prevented with due diligence. Anything will get hacked if someone puts enough effort into it. Most hacks are fairly automated these days. My Linux-Tips site gets thousands of attacks every month, and it's not even all that popular.

This is a weekly report from just one layer of security (I have multiple layers, each catching different things.)

2022-04-29_10-21.png


So, that's not complete. It is however the bulk of them.

Anyhow, I'd read the report even if you don't use WordPress. There's some pretty interesting information in it.

Again:

Website administrators using automatic plugin updates were among those with the lowest risk.

I decided to post this to off-topic, as it doesn't quite fit in any other topic. While it is security related, it's not necessarily Linux related - inasmuch as keeping PHP up to date is something you should do regardless of which OS you're using for your server.
 


captain-sensible

Well-Known Member
Joined
Jun 14, 2019
Messages
2,913
Reaction score
1,970
Credits
18,126
The odd thing about WordPress is that MySQl or equivalent is used to store user names and password. Now if anybody wanted to get those passwords they would not need to get access to the database simply because via some software you can simply tell WordPress to get for instance user login names and reveal them. A native install of WordPress has no security in this regard. You would be quite shocked at some at Gov level , Africa that do not know this.
 
OP
K

KGIII

Super Moderator
Staff member
Gold Supporter
Joined
Jul 23, 2020
Messages
7,432
Reaction score
6,407
Credits
60,265
Passwords aren't stored in plain text. They're hashed and salted. Access to the database will only reveal what the entered password is checked against and not the password.

Usernames are in plain text.

You can block user-enumeration, if you want. I prefer a more robust solution - like 2FA and stripping out the ability to brute force the site. So far, so good - but I have a ton of WP experience. I did a client's setup in like 30 minutes - but that was just settings and plugins/plugin configurations. It was amazing how fast I can do it now. (I can also cheat and export settings from an existing install, saving quite a bit of manual configuration time.)

I should probably streamline it further and charge money. ;-)

(I really, really don't want to spend my time doing WP installs and I don't really need the extra income. So, that's not gonna happen. Or at least it's really unlikely to happen.)
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Linux.org Hosting Donations
Consider making a donation

Members online


Top