3 questions: WordPress security

Adam J. Kujawa is Malware Intelligence Lead at Malwarebytes. He authored the report "Cyberthreats in 2012," highlighting (among other things) security issues with the popular blogging/website platform WordPress.

CSO: What's the big deal with WordPress security--why is this a significant issue now?

Adam Kujawa: You've got fish in a barrel and an upgraded harpoon, in that a lot of people are creating their own blogs and the mass existence of exploit kits like Blackhole.

WordPress is a great exploit platform, because users have lots of control over how their WordPress site is viewed, and using plugins and things like that. But the problem is that users aren't properly securing them. They aren't keeping their passwords difficult enough or resetting them from the default, they're using outdated plugins and a lot of other bad security practices. It makes it very easy to set up drive-by exploits.

What was the worst WordPress exploit you saw?

We saw immense amounts of ransomware. The nightmare scenario would be malware-tisements--malicious ads where you're surfing a legit website, minding your own business, and a legitimate ad has been modified by cyber criminals and allowed to execute code or redirects. Next thing you know this ad shows up and you're redirected to a WordPress site with a drive-by on it and you get infected with ransomware and you're locked out of your computer and you have to pay $300 to get it back. My father got ransomware by this method.

Is it hard to set up WordPress securely?

Adam Kujawa: It's not super hard. If you're not inherently technical, I wouldn't try to set up WordPress. I'd get somebody else to do it. But the biggest targets are the ones that are quickly set up, and don't have a massive amount of traffic. The best advice I have is to find a professional or a hosting company. They might cost a little more but will be worth it if they can securely establish a web presence.

Tags securityMalwarebytesintel


Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

ZENworks® Endpoint Security Management

Protect against bugs in USB Storage devices

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.