Are you using WordPress for your Recruitment Website? Check your security
Posted By: Thomas Shaw, 12:01pm Monday 19 April 2010
Do you use WordPress? Are you aware of the security implications around the software? Over the past week, thousands of WordPress websites have been compromised with malicious malware code inserted into the database
If you use WordPress, you better check your site. Prevention is better than cure.
Wordpress stores the database credentials in plain-text at the wp-config.php file.
This configuration file should only be read by Apache, but some users (well, lots of users) left it in a way that anyone could read it (755 instead of 750 in Linux slang).
A malicious user at Network Solutions creates a script to find those configuration files that were incorrectly configured.
This same malicious user finds hundreds of configuration files with the incorrect permissions and retrieves the database credentials.
Yes, he again (the bad guy) launches an attack and modify the database for all these blogs. Now the siteurl for all of them just became [malicious website]. Easy hack.
The problem for just about any web application that requires access to a database is that there just isn't a good way to secure the database login credentials in a plain text file.
At some point, the web application has to be able to send those credentials to the database server. And if the web server can read/generate those credentials, then there is always the possibility that an unauthorized party on the same server might be able to gain access to them "if the server and app are not secured properly".