Threat Intelligence Blog

Posted April 14, 2011


The content management system WordPress is a fantastic tool. Its ease of use has has helped it become the most popular blogging tool out there. Its most recent version has been downloaded more than 5.7 million times as of this writing.

The popularity of WordPress has made it a very attractive target for cyber attackers. Like most software, eventually security holes are found that allow hackers inside. Once a site is breached, it can be used for many illegal purposes like distributing malware, hosting phishing attacks, and marketing counterfeit pharmaceuticals. Blog owners need to be ever vigilant to ensure there software is current with all updates including blog software to plug security holes.

WordPress developers have been great about patching those holes quickly. Despite being on top of vulnerabilities, there are still some steps that should not be tough to implement but should make the web a safer place.

  • Please stop advertising the version number in the source code. In 2008 Google’s Matt Cutts made the recommendation to WordPress webmasters to delete the part of the software’s code that advertises which version of the software is being run. This information is used by hackers to determine which attacks might work against a given website. Removing this announcement will make hackers’ work much harder.
  • Please email the blog’s owner until they upgrade to the newest version.wordpress-please-update-nowIn recent years, WordPress began notifying site admins in the tool’s dashboard view with a message saying that a new version of WordPress was available, and offered a link to upgrade immediately. This is very helpful.But often blogs are abandoned out there and site admins never see this message. Why wait until a webmaster returns? Like a beeping car when your seat belt is unbuckled, WordPress could email the admin on a regular basis to remind them that they have to upgrade, reducing the number of vulnerable websites out there online. WordPress already emails site owners when blog comments are awaiting approval, so this should be pretty easy to implement.

Note that out of date WordPress installs are not the only pieces of software contributing to web server infections. Shopping cart software, forum software, and photo gallery software all tend to be targeted. WordPress installs are likely more common than all of those, so it would make sense to make its security a priority.

Make no mistake, we love WordPress. We use it on this very site. But there are a couple of steps that would appear to be low-hanging-fruit that Matt Mullenweg and the WordPress development crew could take to make an impact on hacked sites on the web.

If you run WordPress and suspect your site’s been hacked, please see this official FAQ from the WordPress team!

Additional Posts

Let Google and Bing Notify You If Your Site is Hacked

In recent years, cyber criminals have made a point of hijacking popular websites. Their goal is ...

Epsilon Breach Opens the Flood Gates for Spear Phishing and Socially Engineered Attacks

The recent Epsilon breach, which could quite possibly be the largest of its kind, has exposed ...