Login     Register
Select Website 

Recruitment Directory's Blog - Australia's #1 Recruitment Technology Blog!

Back to Menu Back to Menu

Are you using WordPress for your Recruitment Website? Check your security

Posted By: Thomas Shaw, 12:01pm Monday 19 April 2010    Email Article    Print Article

Do you use WordPress? Are you aware of the security implications around the software? Over the past week, thousands of WordPress websites have been compromised with malicious malware code inserted into the database

If you use WordPress, you better check your site. Prevention is better than cure.
  • Wordpress stores the database credentials in plain-text at the wp-config.php file.
  • This configuration file should only be read by Apache, but some users (well, lots of users) left it in a way that anyone could read it (755 instead of 750 in Linux slang).
  • A malicious user at Network Solutions creates a script to find those configuration files that were incorrectly configured.
  • This same malicious user finds hundreds of configuration files with the incorrect permissions and retrieves the database credentials.
  • Yes, he again (the bad guy) launches an attack and modify the database for all these blogs. Now the siteurl for all of them just became [malicious website]. Easy hack.
The problem for just about any web application that requires access to a database is that there just isn't a good way to secure the database login credentials in a plain text file.

At some point, the web application has to be able to send those credentials to the database server. And if the web server can read/generate those credentials, then there is always the possibility that an unauthorized party on the same server might be able to gain access to them "if the server and app are not secured properly".

Details on the Network Solutions / Wordpress mass hack

Google Cloaking Hack Targeting WordPress & How to Fix It

wordpress blogs hacked, a new wordpress worm? or just a world readable wp-config.php file

10 Tips To Make WordPress Hack-Proof

Tips and Info for Network Solutions WordPress Customers

Latest WordPress Hack – Symptoms, Solutions & Resources

Don’t Get Hacked: WordPress Security Tips




Article URL: http://www.recruitmentdirectory.com.au/Blog/are-you-using-wordpress-for-your-recruitment-website-check-your-security-a353.html

Article Tags: wordpress job board software web application security database password network solutions directory listings insecure software hack wordpress recruitment website wordpress security

Comments Hide Comments (0)

Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.

Your Name: * Required
Your Email Address: * Required
Website URL:
Comments: * Required
 


Back to Menu Back to Menu



Random Blog Articles

Recruitment Consultant vs HR
Published: 5:54pm Friday 05 February 2010

Social Graphs. How are you connected?
Published: 7:24pm Sunday 06 September 2009

Your job alert subscription will expire in 26 days
Published: 11:19am Wednesday 21 October 2009

XSS is a serious problem
Published: 7:00am Tuesday 19 July 2011

Hijacking Competitors Job Adverts
Published: 12:21pm Friday 24 July 2009


Latest Blog Articles

I don't care that you have more LinkedIn connections than me. You can buy them for $5
More jobs than SEEK?
Fail Whale. Phishing link love
if(candidate.experience.contains(it)) ++bonusPoints
For bonus points, apply using the API
"Attaging" with QR Codes - The security threat for mobile recruitment
SMS "Apply" to...
Typo squatting and the doppelganger domain threat
PayCheck Plus
Is it time to say farewell to 3rd party application forms?
  [1] 2 3 ... 44   Next

Newsletter Mailing List

Stay informed of current news, upcoming events and promotional offers.

Top 25 Most Influential

Article Calendar

April 2012 (3)
February 2012 (2)
October 2011 (3)
September 2011 (1)
July 2011 (2)
June 2011 (1)
May 2011 (2)
March 2011 (3)
February 2011 (4)
January 2011 (3)
December 2010 (6)
November 2010 (7)
October 2010 (5)
September 2010 (8)
August 2010 (7)
July 2010 (8)
June 2010 (9)
May 2010 (10)
April 2010 (14)
March 2010 (13)
February 2010 (10)
January 2010 (8)
December 2009 (12)
November 2009 (14)
October 2009 (17)
September 2009 (14)
August 2009 (20)
July 2009 (21)
June 2009 (24)
May 2009 (22)
April 2009 (17)
March 2009 (33)
February 2009 (23)
January 2009 (45)
December 2008 (33)
November 2008 (9)

Latest Blog Comments

Mark Van Goosen - 2:20am Thursday 12 April 2012
More jobs than SEEK?

Brett Iredale - 3:50pm Friday 06 April 2012
More jobs than SEEK?

Poo on U - 10:16am Thursday 22 March 2012
10 Things We Hate About Recruitment Companies

Yolk Recruitment - 2:29am Friday 16 March 2012
For bonus points, apply using the API

Jimi - 6:40pm Saturday 11 February 2012
SEEK mobile

Cavin - 7:25pm Monday 16 January 2012
What is an Applicant Tracking System? Who are the main providers?

Campus Recruitment Company - 10:25pm Tuesday 20 December 2011
HR Daily launches

Spider Personnel - 10:19am Tuesday 20 December 2011
NZ Public Service Workforce Data

ITRIS - 11:49pm Tuesday 13 December 2011
What is an Applicant Tracking System? Who are the main providers?

brett gammon - 7:29am Tuesday 25 October 2011
Applying for jobs using your mobile phone

Upcoming Webinars