Select Website 

Recruitment Directory's Blog - Australia's #1 Recruitment Technology Blog!

Back to Menu Back to Menu

Are you using WordPress for your Recruitment Website? Check your security

Posted By: Thomas Shaw, 12:01pm Monday 19 April 2010    Print Article

Do you use WordPress? Are you aware of the security implications around the software? Over the past week, thousands of WordPress websites have been compromised with malicious malware code inserted into the database

If you use WordPress, you better check your site. Prevention is better than cure.
  • Wordpress stores the database credentials in plain-text at the wp-config.php file.
  • This configuration file should only be read by Apache, but some users (well, lots of users) left it in a way that anyone could read it (755 instead of 750 in Linux slang).
  • A malicious user at Network Solutions creates a script to find those configuration files that were incorrectly configured.
  • This same malicious user finds hundreds of configuration files with the incorrect permissions and retrieves the database credentials.
  • Yes, he again (the bad guy) launches an attack and modify the database for all these blogs. Now the siteurl for all of them just became [malicious website]. Easy hack.
The problem for just about any web application that requires access to a database is that there just isn't a good way to secure the database login credentials in a plain text file.

At some point, the web application has to be able to send those credentials to the database server. And if the web server can read/generate those credentials, then there is always the possibility that an unauthorized party on the same server might be able to gain access to them "if the server and app are not secured properly".

Details on the Network Solutions / Wordpress mass hack

Google Cloaking Hack Targeting WordPress & How to Fix It

wordpress blogs hacked, a new wordpress worm? or just a world readable wp-config.php file

10 Tips To Make WordPress Hack-Proof

Tips and Info for Network Solutions WordPress Customers

Latest WordPress Hack Ė Symptoms, Solutions & Resources

Donít Get Hacked: WordPress Security Tips




Article URL: http://www.recruitmentdirectory.com.au/Blog/are-you-using-wordpress-for-your-recruitment-website-check-your-security-a353.html

Article Tags: wordpress wordpress recruitment website hack insecure software directory listings network solutions database password web application security wordpress job board software security

Comments Hide Comments (0)

Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.

Your Name: * Required
Your Email Address: * Required
Website URL:
Comments: * Required
Refresh
Enter the code you see in the image above (case sensitive). Click on the image to refresh it.
 


Back to Menu Back to Menu



Random Blog Articles

Mobile Recruitment Websites - Keep it simple
Published: 1:53pm Tuesday 13 July 2010

Recruitment Blogs
Published: 8:53pm Monday 01 December 2008

Search Engine Friendly URLs
Published: 4:01pm Sunday 26 July 2009

Australian Job Board Statistics - September 2010
Published: 1:16pm Monday 04 October 2010

Thomas wins $50,000 from MyCareer!
Published: 8:42pm Thursday 12 March 2009