Security Expert Re: Study Cites Biggest Security Threats To WordPress Sites

A new study by Wordfence showed that WordPress sites were most threatened in 2020 by pirated (aka nulled) themes and plugins, brute-force attacks against login forms and the use of exploit code that takes advantage of unpatched vulnerabilities.

Subscribe
Notify of
guest
2 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Ameet Naik
Ameet Naik , Security Evangelist
InfoSec Expert
January 29, 2021 9:35 am

<p>Shadow Code introduced via third-party themes and plugins substantially expands the attack surface for websites. Website owners must stay on top of security updates which will protect them from the inherent risks that come with third-party plugins. Digital businesses also need to be able to recognize targeted, large-scale brute force ATO attacks in real-time, to stop credential stuffing as it happens and protect their customer’s personal information.</p>

Last edited 1 year ago by Ameet Naik
Pravin Madhani
Pravin Madhani , Co-founder and CEO
InfoSec Expert
January 29, 2021 9:24 am

<p>The recent news about WordPress malware and vulnerabilities is a good reminder that WordPress site owners need to do a better job of managing their site\’s security. In addition to the more obvious security recommendations such as malware scanning and good password practices, site owners need to make sure their plug-ins and software are up to date and patched. </p> <p> </p> <p>The report also identified critical vulnerabilities that are typically exploited including directory traversal, SQL injection, remote code execution (RCE)and cross site scripting. All of these vulnerabilities are harder to protect against, and typically overlooked by site owners. However, these flaws are well-known and have long been listed on the OWASP Top 10 Web Application Risks. In addition, WordPress plugins are typically written in PHP, a language that’s particularly vulnerable to the OWASP Top 10 Risks. Organizations need to take application security more seriously, starting with protection for well-known problems like the OWASP Top 10. </p> <p> </p> <p>Finally, traditional application security tools like Web Application Firewalls (WAFs), have a tough time with RCE and other OWASP Top 10 attacks because they typically rely on understanding a past RCE attack to detect a new zero day attack. RASP (Runtime Application Self-Protection) solutions are closer to the application and have a better understanding of the application to stop RCE and other attacks. The NIST (National Institute of Standards and Technologies) recently added RASP as a security requirement to their framework outlined in SP800-53 Revision 5, another pointer to the need for runtime security to more effectively protect against these types of attacks.</p>

Last edited 1 year ago by Pravin Madhani
2
0
Would love your thoughts, please comment.x
()
x