There were a number of rumours floating around the internet in 2008 claiming that WordPress was insecure and vulnerable to hacks and attacks. Matt Mullenweg has spoken out about a number of false reports.
The Automattic team often sort through a large number of posts on the Trac claiming to be security vulnerabilities. This time could often be better spent working on new features, and optimising the existing code within WordPress. In one of Matt's posts, SecurityFocus SQL Injection Bogus, Matt saysL
Online, apparently, it’s fine for someone to run into a crowded theatre and yell “fire” and the less basis there is in fact the more people link to them. It’s not uncommon to see crying-wolf reports like the above several times in a week, and a big part of what the WP security team is sifting through things to see what’s valid or not.
He goes on to say that there was a wave of attacks on WordPress blogs targetting blogs around the 2.1 and 2.2 branches of the WordPress code. People who were claiming their blogs had been hacked, and were being removed from Google search rankings were running older version of WordPress, particularly in the 2.1 and 2.2 branches of WordPress. Had these people upgraded their blogs, they would have been immune to the problems.
…All that said, there is a wave of attacks going around targeting old WordPress blogs, particularly those on the 2.1 or 2.2 branch. They’re exploiting problems that have been fixed for a year or more. This typically manifests itself through hidden spam being put on your site, either in the post or in a directory, and people notice when they get dropped from Google. (Google will drop your site if it contains links they consider spammy, you’ll remember this is one of the main reasons I came out against sponsored themes.)
This leads onto Matt, and the Automattic Team taking a stance on sponsored WordPress themes in the WordPress Theme Viewer. This leads to the warnings about using these themes without thorough inspection, and trying to avoid clicking on links to sites where you can potentially catch a virus or worm which is seeking to infect your computer system.
I often check a theme out myself, especially footer.php. I have sometimes found out that they can be encoded, and when they are usually encoded to protect the links within them. I have found a tool1 to help 'crack' them open to remove the links, particularly if they contain non-related nasty links. Some people will say that is reverse engineering, but I do not see a problem as the credits for the theme designers are still present in the CSS, and other files where the links are present. I'm sure to see some theme creators oppose my moves and links, but I have a right to link to sites I wish to use, and not others that I don't approve of.
How Safe is WordPress?
WordPress is not 100% invulnerable to hackers, however if you stay up to date with the WordPress core files, the plugins you use, plus the theme that you use on your site, you are fairly safe from hackers. However hackers can still attack your site via vulnerabilities in PHP and mySQL rather than WordPress. Unfortunately these vulnerabilities cannot be controlled by the Automattic Team.
Themes and plugins can be poorly coded creating loopholes that a hacker could potentially use. Many people are saying that 2009 should be the year of better standards within the code of plugins and themes for WordPress.
WordPress now includes a number of enhancements designed to secure your WordPress installation. WordPress 2.7 now includes comment enhancements that include password protection checks and improvements to security from previous versions such as password disabling reset per user, improved password and cookie security improvements, SSL and cookies handling, triple cookie security checks, configuration keys to improve authentication issues, and even HTTPS settings for security protection on WordPress.com blogs.
WordPress can be hacked, noone is saying that it is 110% safe, however there are ways that we can protect ourselves, and there are ways that WordPress is now starting to protect itself, so as long as we stay up to date, we are fairly confident that we are protected from hackers, provided our server software is upto date as well.
Inspired by Lorelle VanFossen at The Blog Herald.
January 23rd, 2009 at 9:55 am
Good post, I agree nothing is 100% hack proof but maintaining up to date software and practicing good security techniques can make it very difficult for attackers.