WordPress is currently the most popular blogging system in use on the Web, powering over 60 million websites worldwide. There are over 15,000 WordPress plug-ins that extend the functionality of WordPress. But these plug-ins also add numerous security risks making the website vulnerable to attacks. Although core WordPress vulnerabilities exist and may be more challenging to find, most WordPress attacks these days are results of plug-in vulnerabilities followed by default passwords and obsolete software.

Recently, I started exploring various WordPress plug-ins to test if installing a plug-in made the site more vulnerable, and to determine how big of a concern the security of the plug-in was. I started with a few of the popular and top-rated plug-ins. During that exercise, I discovered an HTML Code and Script Injection Vulnerability in the WP Photo Album Plus plug-in.

Continue reading …

Last week, HostGator and CloudFlare reported an ongoing attack against WordPress sites. With over 60 Million downloads, WordPress is a popular tool used to produce and run websites. It has been downloaded over 60 Million times and can be found at the core of many of the Alexa top websites. 

The attack is simple, but will no doubt capture a number of naively configured WordPress systems. It aims to gain control over WordPress installations by guessing the password to the WordPress Administrator account, named by default “admin”. Apparently the attacker controls a botnet of roughly 90,000 computers that have been instructed to seek out WordPress instances and to use a dictionary over 2,500 common passwords in a brute force password attack. 

Continue reading …