If you run a WordPress Blog on your own web hosting account, read this.
September 27, 2013
In my previous article I wrote about an ongoing botnet hacking campaign targeting WordPress Blog installations on web servers around the World. Read this excerpt.
There is an ongoing attack targeting /wp-login.php, /admin.php and /administrator/ for at least a month, if not longer. Most are brute force password crack attempts, but others are exploiting vulnerable code in WordPress itself.
In addition to attacks against the WordPress software (web applications [apps] and CMS programs are in reality, "software"), which was very recently updated, I see regular attempts to exploit popular WordPress plug-ins. Some of these plug-in attacks are over a year old, yet they are ongoing to this day. Why is that?
Hackers continue to probe with old exploits targeting WordPress and its plug-ins - because these attacks work, due to the software not being patched in a timely manner and due to the people administering the blogs not securing them with strong passwords.
According to recently published research by WP White Security, conducted between September 12 - 15, 2013, as many as 73% of the WordPress installation tested were running out-dated, vulnerable versions of the program itself. This research doesn't say anything about out-dated, exploitable plug-ins or weak or default passwords. The WordPress software itself is out-dated on 73% of the web servers tested just after the release of version 3.6.1. Hopefully, in the 12 days that have passed, more people have upgraded to the current version!
The 73% figure was broken down into percentages based upon the version of WordPress being run. Thirty percent were running the previous release: 3.6.0, which has 5 known vulnerabilities (patched in 3.6.1). Even if all of those webmasters upgrade to version 3.6.1, that still leaves almost two thirds running older versions, as far back as version 2.0! I counted 98 known vulnerabilities present in WordPress versions 3.2.1 through 3.6.0, and over 100 CVE vulnerabilities in previous versions 2.0 through 3.1.
If you operate your own WordPress Blog, whether hosted on a shared, or VPS, or Dedicated server, you are totally responsible for keeping the program and its plug-ins secured and updated.
The latest version is always available for download from WordPress.org. I suggest that you sign up for email alerts when new versions are released and that you install them as soon as humanly possible. Hackers routinely test for exploitable vulnerabilities and share them among the hacking community.
There is a very interesting article on Naked Security about these latest WordPress statistics, including the ten most important steps you can take to secure a WordPress installation. If you host your own WordPress Blog, please read it!
Maybe you installed WordPress with a couple of mouse-clicks into your shared hosting account, or inherited a website that somebody else built, but know nothing about updating web scripts and applications. If this updating stuff is too much for you to keep up with, consider having your blog hosted at WordPress.com, for free. They take care of all updates and patching for you. All you have to do is create great content, instead of fending of botnet attacks from WordPress hackers.