Select Website 

Recruitment Directory's Blog - Australia's #1 Recruitment Technology Blog!

Back to Menu Back to Menu

Are you using WordPress for your Recruitment Website? Check your security

Posted By: Thomas Shaw, 12:01pm Monday 19 April 2010    Print Article

Do you use WordPress? Are you aware of the security implications around the software? Over the past week, thousands of WordPress websites have been compromised with malicious malware code inserted into the database

If you use WordPress, you better check your site. Prevention is better than cure.
  • Wordpress stores the database credentials in plain-text at the wp-config.php file.
  • This configuration file should only be read by Apache, but some users (well, lots of users) left it in a way that anyone could read it (755 instead of 750 in Linux slang).
  • A malicious user at Network Solutions creates a script to find those configuration files that were incorrectly configured.
  • This same malicious user finds hundreds of configuration files with the incorrect permissions and retrieves the database credentials.
  • Yes, he again (the bad guy) launches an attack and modify the database for all these blogs. Now the siteurl for all of them just became [malicious website]. Easy hack.
The problem for just about any web application that requires access to a database is that there just isn't a good way to secure the database login credentials in a plain text file.

At some point, the web application has to be able to send those credentials to the database server. And if the web server can read/generate those credentials, then there is always the possibility that an unauthorized party on the same server might be able to gain access to them "if the server and app are not secured properly".

Details on the Network Solutions / Wordpress mass hack

Google Cloaking Hack Targeting WordPress & How to Fix It

wordpress blogs hacked, a new wordpress worm? or just a world readable wp-config.php file

10 Tips To Make WordPress Hack-Proof

Tips and Info for Network Solutions WordPress Customers

Latest WordPress Hack – Symptoms, Solutions & Resources

Don’t Get Hacked: WordPress Security Tips




Article URL: http://www.recruitmentdirectory.com.au/Blog/are-you-using-wordpress-for-your-recruitment-website-check-your-security-a353.html

Article Tags: wordpress wordpress recruitment website hack insecure software directory listings network solutions database password web application security wordpress job board software security

Comments Hide Comments (0)

Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.

Your Name: * Required
Your Email Address: * Required
Website URL:
Comments: * Required
Refresh
Enter the code you see in the image above (case sensitive). Click on the image to refresh it.
 


Back to Menu Back to Menu



Random Blog Articles

Hirewall beta release
Published: 12:10am Thursday 18 December 2008

Upcoming Webinar - Using Facebook for Recruitment
Published: 12:14pm Thursday 21 May 2009

Creating an Effective Social Media Strategy, Part 7 - Find Quality Followers to Engage, Don’t Worry About Numbers
Published: 3:07pm Sunday 16 August 2009

Adlogic Webservice API
Published: 7:30am Monday 01 November 2010

How secure is your Recruitment website? Part 1 - Server Directory Listings
Published: 9:08pm Thursday 28 May 2009