Login     Register
Select Website 

Recruitment Directory's Blog - Australia's #1 Recruitment Technology Blog!

Back to Menu Back to Menu

Are you using WordPress for your Recruitment Website? Check your security

Posted By: Thomas Shaw, 12:01pm Monday 19 April 2010    Email Article    Print Article

Do you use WordPress? Are you aware of the security implications around the software? Over the past week, thousands of WordPress websites have been compromised with malicious malware code inserted into the database

If you use WordPress, you better check your site. Prevention is better than cure.
  • Wordpress stores the database credentials in plain-text at the wp-config.php file.
  • This configuration file should only be read by Apache, but some users (well, lots of users) left it in a way that anyone could read it (755 instead of 750 in Linux slang).
  • A malicious user at Network Solutions creates a script to find those configuration files that were incorrectly configured.
  • This same malicious user finds hundreds of configuration files with the incorrect permissions and retrieves the database credentials.
  • Yes, he again (the bad guy) launches an attack and modify the database for all these blogs. Now the siteurl for all of them just became [malicious website]. Easy hack.
The problem for just about any web application that requires access to a database is that there just isn't a good way to secure the database login credentials in a plain text file.

At some point, the web application has to be able to send those credentials to the database server. And if the web server can read/generate those credentials, then there is always the possibility that an unauthorized party on the same server might be able to gain access to them "if the server and app are not secured properly".

Details on the Network Solutions / Wordpress mass hack

Google Cloaking Hack Targeting WordPress & How to Fix It

wordpress blogs hacked, a new wordpress worm? or just a world readable wp-config.php file

10 Tips To Make WordPress Hack-Proof

Tips and Info for Network Solutions WordPress Customers

Latest WordPress Hack – Symptoms, Solutions & Resources

Don’t Get Hacked: WordPress Security Tips




Article URL: http://www.recruitmentdirectory.com.au/Blog/are-you-using-wordpress-for-your-recruitment-website-check-your-security-a353.html

Article Tags: wordpress job board software web application security database password network solutions directory listings insecure software hack wordpress recruitment website wordpress security

Comments Hide Comments (0)

Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.

Your Name: * Required
Your Email Address: * Required
Website URL:
Comments: * Required
 


Back to Menu Back to Menu



Random Blog Articles

Facebook Ad Credits
Published: 3:32pm Saturday 17 January 2009

Hippo iPhone App
Published: 4:42pm Thursday 13 May 2010

Apply for a job by attaching your LinkedIn profile
Published: 12:04pm Tuesday 15 June 2010

Cut the fat. Application Form Filename Structure #2
Published: 12:26am Thursday 25 March 2010

SEEK increases job advert expiry to 45 days
Published: 5:34pm Sunday 17 May 2009


Latest Blog Articles

Online Recruitment - Past, Present & Future
Opportunities and Challenges post the GFC and in preparation for environmental changes
Stand out from the crowd - Using Embedded Objects in Job Ads
IT Video Resume - Killa Appz
OWASP Top 10 and your Recruitment Website - Part 1
Data Applications and Infrastructure at LinkedIn
How to confuse a job seeker - Part 2
2010 Email Marketing Benchmark Report - HR/Recruitment Sector
Plan for the worst
Log in with LinkedIn
  [1] 2 3 ... 39   Next

Newsletter Mailing List

Stay informed of current news, upcoming events and promotional offers.

Top 25 Most Influential

Article Calendar

September 2010 (2)
August 2010 (6)
July 2010 (7)
June 2010 (9)
May 2010 (10)
April 2010 (14)
March 2010 (13)
February 2010 (10)
January 2010 (8)
December 2009 (12)
November 2009 (14)
October 2009 (17)
September 2009 (14)
August 2009 (20)
July 2009 (21)
June 2009 (24)
May 2009 (22)
April 2009 (17)
March 2009 (33)
February 2009 (23)
January 2009 (45)
December 2008 (34)
November 2008 (9)

Latest Blog Comments

saudi jobs - 5:51am Tuesday 07 September 2010
Log in with LinkedIn

frustrated jobseeker - 1:27pm Tuesday 31 August 2010
Are you a Social Recruitment wanker?

Recruitment Software - 10:24pm Thursday 26 August 2010
IT Video Resume - Killa Appz

Jason - 11:16am Wednesday 18 August 2010
IT Video Resume - Killa Appz

David Lyons - 5:17pm Friday 13 August 2010
Plan for the worst

DmitryK - 6:06pm Monday 09 August 2010
OWASP Top 10 and your Recruitment Website - Part 1

Jim Manico - 5:28pm Monday 09 August 2010
OWASP Top 10 and your Recruitment Website - Part 1

Steve Ludlow - 12:28pm Friday 06 August 2010
Are you a Social Recruitment wanker?

Brad Stewart - 10:45am Tuesday 03 August 2010
2010 Email Marketing Benchmark Report - HR/Recruitment Sector

Adam Crow - 5:23am Tuesday 03 August 2010
Plan for the worst

Upcoming Webinars