Skip to main content

More on Wordpress Security

(0 comments)

Two recent blog posts by Ethicalhack3r discuss authentication attacks against Wordpress sites.  The first post discusses  two vulnerabilities in Wordpress including one vulnerability from 2009.  Both leak username information.  As a follow up, Ethicalhack3r released a video (no code) of a brute-force attack tool he wrote over a weekend. 

My thoughts:

As Ethicalhack3r points out, there is nothing surprising here for Information Security.  It seems to have surprised others, though.  That speaks negatively about the information security community's ability to affect product development.  The vulnerability has existed since 2009.

It also means that we are not able to promote products that are secure.  I'm sure that there are blogging platforms that are more secure or react faster to vulnerabilities than Wordpress. These vulnerabilities aren't even that complex. 

I'm also reminded of something Adam Shostack told me:  There have always been vulnerabilities and there always will be vulnerabilities.  So, we need to deal with them.  Luckily in this case, you can by protecting your Wordpress login with two-factor authentication.   (What I don't know is what affect this has on commenters.  I don't the login requirements to comment on a blog post or the options for that.) 

 

Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

Recent Posts

Archive

2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom