Yesterday, I was just randomly going through some google searches suddenly a website caught my attraction the website was built in WordPress and there were some misconfiguration issues due to which it was displaying some information which can give an idea to an attacker about what will be his next move and there are number of websites which suffers from same cause and if you use CMS(Content Management System) then you should keep reading, This blog is for you.
Before moving further if you aren’t familiar with what is Content Management System is let me explain it to you. A content management system is a software application or set of related programs that are used to create and manage digital content. CMSes are typically used for Enterprise content management and Web content management. A CMS can have multiple meanings depending on the scenarios and the person or project objectives.
You can define a CMS as an application with the help of which you can provide web services and different permission levels to manage whether (whole or a single section of it) content, data or information of a website project or internet/intranet application.
A CMS or content management system like WordPress serves as a web-publishing tool, helping you create not only blogs (for which WordPress was originally known) but also websites and even mobile apps. It is popular with users because it is free and also because it offers a wide range of plugins and customization features. In fact, this platform is so versatile and trusted that even top corporations like Sony, Disney, and CNN use it!
Perhaps even you are using WordPress and have loved it for all its features and plugins. But you may also be troubled by reports that WordPress has repeatedly been targeted by hackers. In fact, a BBC article from February 2017 reported that as many as 1.5 billion web pages had been defaced by hackers in a recent spate of attacks, taking advantage of a zero-day vulnerability.
WordPress website remains secure and immune to hacker attacks? There is no one-time magic trick to make this happen. Hackers are constantly coming up with newer ways to probe websites for chinks. Often, they just use brute force, This might explain why, on average, as many as 30,000 sites are hacked every single day!
WordPress is highly popular with businesses. This means that customer banking details, email addresses, and other precious information are liable to be compromised as a result of poor website security. As a business owner, it is your duty towards your clients to ensure maximum security on your site. You may also hire an experienced web design firm to engineer your website in such as way as to minimize vulnerabilities. However, the best safeguard is to ensure that you yourself are constantly vigilant and follow these smart measures on a regular basis:
- Update to the latest version of WordPress.
- Report bugs immediately.
- Upgrade plugins.
- Upgrade your OS and browsers.
- Do use security plugins like WordFence or Sucuri.
- Use a plugin to hide your admin page.
- Do not display your WordPress version number on the site.
- Use paid themes.
- Use strong user credentials, particularly complex alphanumeric passwords. The longer, the better. Special characters will strengthen your passwords even further.
- Use a password manager.
- Better yet, use two-factor authentication.
- Set a fixed number of login attempts.
- Set your email address as your username.
- Backup everything.
- Use SSL for data encryption.
- Get rid of data you don’t need like old log files and duplicated backups.
- Disable file editing.
- Use WPScan to identify vulnerabilities and report them.
- Use trusted hosting services.
- Moderate comments and remove irrelevant ones.
The hard reality is that none of these measures can guarantee complete protection. However, your website will certainly be immune to all but the most dedicated of hackers. And unless your site holds information that is valuable enough to merit such persistent efforts on the part of hackers, there is good chance that you are safe. But that is only as long as you continue to closely monitor your site and faithfully follow the steps listed above.
Recent Vulnerability Report(WordPress)
There is an unpatched vulnerability in the WordPress core, which could allow a low-privileged user to hijack the whole site and execute arbitrary code on the server. Discovered by researchers at RIPS Technologies GmbH, the “authenticated arbitrary file deletion” vulnerability was reported 7 months ago to the but remains unpatched and affects all versions of WordPress, including the current 4.9.6.
Researchers say that using this flaw an attacker can delete any critical files like “.htaccess” from the server, which usually contains security-related configurations, in an attempt to disable protection. Besides this, deleting “wp-config.php” file—one of the most important configuration files in WordPress installation that contains database connection information—could force entire website back to the installation screen, allegedly allowing the attacker to reconfigure the website from the browser and take over its control completely.
It should be noted that since the attacker can’t directly read the content of the wp-config.php file to know the existing “database name,” “mysql username,” and its “password,” he can re-setup the targeted site using a remote database server in his control.
Once complete, the attacker can create a new admin account and take complete control over the website, including the ability to execute arbitrary code on the server.
“Besides the possibility of erasing the whole WordPress installation, which can have disastrous consequences if no current backup is available, an attacker can make use of the capability of arbitrary file deletion to circumvent some security measures and to execute arbitrary code on the web server,” researchers say.
Want to know how to protect your website or want to get it tested for security issues