Select Website 

Recruitment Directory's Blog - Australia's #1 Recruitment Technology Blog!

Back to Menu Back to Menu

Are you using WordPress for your Recruitment Website? Check your security

Posted By: Thomas Shaw, 12:01pm Monday 19 April 2010    Print Article

Do you use WordPress? Are you aware of the security implications around the software? Over the past week, thousands of WordPress websites have been compromised with malicious malware code inserted into the database

If you use WordPress, you better check your site. Prevention is better than cure.
  • Wordpress stores the database credentials in plain-text at the wp-config.php file.
  • This configuration file should only be read by Apache, but some users (well, lots of users) left it in a way that anyone could read it (755 instead of 750 in Linux slang).
  • A malicious user at Network Solutions creates a script to find those configuration files that were incorrectly configured.
  • This same malicious user finds hundreds of configuration files with the incorrect permissions and retrieves the database credentials.
  • Yes, he again (the bad guy) launches an attack and modify the database for all these blogs. Now the siteurl for all of them just became [malicious website]. Easy hack.
The problem for just about any web application that requires access to a database is that there just isn't a good way to secure the database login credentials in a plain text file.

At some point, the web application has to be able to send those credentials to the database server. And if the web server can read/generate those credentials, then there is always the possibility that an unauthorized party on the same server might be able to gain access to them "if the server and app are not secured properly".

Details on the Network Solutions / Wordpress mass hack

Google Cloaking Hack Targeting WordPress & How to Fix It

wordpress blogs hacked, a new wordpress worm? or just a world readable wp-config.php file

10 Tips To Make WordPress Hack-Proof

Tips and Info for Network Solutions WordPress Customers

Latest WordPress Hack – Symptoms, Solutions & Resources

Don’t Get Hacked: WordPress Security Tips




Article URL: http://www.recruitmentdirectory.com.au/Blog/are-you-using-wordpress-for-your-recruitment-website-check-your-security-a353.html

Article Tags: wordpress wordpress recruitment website hack insecure software directory listings network solutions database password web application security wordpress job board software security

Comments Hide Comments (0)

Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.

Your Name: * Required
Your Email Address: * Required
Website URL:
Comments: * Required
Refresh
Enter the code you see in the image above (case sensitive). Click on the image to refresh it.
 


Back to Menu Back to Menu



Random Blog Articles

Ooops tips - May 2009
Published: 7:33pm Tuesday 12 May 2009

Tips for Avoiding Website Roadblocks
Published: 3:22pm Wednesday 23 June 2010

How secure is your Recruitment website? Part 4 - SQL Injection
Published: 11:17am Wednesday 19 August 2009

What Thomas is reading - 7th Dec 2008
Published: 2:52pm Sunday 07 December 2008

Job ad of the month - No weed smoking hippies
Published: 2:06pm Monday 14 June 2010