A new study by Wordfence showed that WordPress sites were most threatened in 2020 by pirated (aka nulled) themes and plugins, brute-force attacks against login forms and the use of exploit code that takes advantage of unpatched vulnerabilities.
<p>Shadow Code introduced via third-party themes and plugins substantially expands the attack surface for websites. Website owners must stay on top of security updates which will protect them from the inherent risks that come with third-party plugins. Digital businesses also need to be able to recognize targeted, large-scale brute force ATO attacks in real-time, to stop credential stuffing as it happens and protect their customer’s personal information.</p>
<p>The recent news about WordPress malware and vulnerabilities is a good reminder that WordPress site owners need to do a better job of managing their site\’s security. In addition to the more obvious security recommendations such as malware scanning and good password practices, site owners need to make sure their plug-ins and software are up to date and patched. </p> <p> </p> <p>The report also identified critical vulnerabilities that are typically exploited including directory traversal, SQL injection, remote code execution (RCE)and cross site scripting. All of these vulnerabilities are harder to protect against, and typically overlooked by site owners. However, these flaws are well-known and have long been listed on the OWASP Top 10 Web Application Risks. In addition, WordPress plugins are typically written in PHP, a language that’s particularly vulnerable to the OWASP Top 10 Risks. Organizations need to take application security more seriously, starting with protection for well-known problems like the OWASP Top 10. </p> <p> </p> <p>Finally, traditional application security tools like Web Application Firewalls (WAFs), have a tough time with RCE and other OWASP Top 10 attacks because they typically rely on understanding a past RCE attack to detect a new zero day attack. RASP (Runtime Application Self-Protection) solutions are closer to the application and have a better understanding of the application to stop RCE and other attacks. The NIST (National Institute of Standards and Technologies) recently added RASP as a security requirement to their framework outlined in SP800-53 Revision 5, another pointer to the need for runtime security to more effectively protect against these types of attacks.</p>
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics