[ad_1]
I’ve been doing a lot of cyber security investigations on many of clients websites lately and it would seem that WordPress is most vulnerable because of all the so called free, underdeveloped and/or otherwise vulnerable plug-ins. It seems like some free plugins have back doors. Some were just created by inexperienced developers.
I’ve also found that many hackers are trying to log into WordPress sites using information from other data breach. For example, hackers found someone’s Quora information, probably from the dark web, and then used that information to access their WordPress site.
Please share what you know surrounding this topic including plugins with known vulnerabilities and cyber defense strategies.
​
Thanks group.
[ad_2]
>I’ve also found that many hackers are trying to log into WordPress sites using information from other data breach. For example, hackers found someone’s Quora information, probably from the dark web, and then used that information to access their WordPress site.
Isn’t that generally the case with any known public facing login form?
I would say it’s much easier to find plugins that clearly state how they deal with security vulnerabilities than it is to find plugins that have security holes.
That said, 2 of the biggest plugins ever, Elementor and WooCommerce both suffered issues with data security in the past year.
These days, it’s tough to stay ahead and stay nimble, is I assume what devs of these products would say. And, it’s easy to be a bad dev who posts a plugin to the repo and then never updates it again.
Anything online is hackable.
The common mis-information that WP is any more vulnerable than any other platform is usually commented by those that lack security knowledge.
For example, government, corporate and other organisations ‘that should know better’ regularly have break-ins, regardless how they have been built.
Like anything else online, how it’s set up defines whether a back-door is left open or not and that includes WordPress.
There are several databases that outline known vulnerabilities. I am surprised that someone doing cyber investigations is asking for this information and a how-to on keeping sites secure.
I had a client who’s users got phishy emails regarding their order. Yet there was no breach. I think they were victim of credential stuffing but not to gain access but just to determine if they were a member of the client’s site. What put me on to this is they got a few of the complaints that were from people who never used the client’s site but had the phishy email.
I was able t get 3 look-a-like domains shut down during this, I should add.
The best thing about WordPress is anyone can write a plug-in. The bad thing about WordPress is anyone can write a plug-in.
Don’t build your business around someone else’s unproven code.
Try to minimize the number of plugins you use. Don’t use a plug-in when a few lines of code will do. Use plugins from reputable developers who will continue to update the code. Review the plug-in code- do you understand it? Is it using best practices or is it spaghetti code?
Must work for Wix.
In my experience 9 times out of 10, WordPress vulnerabilities are a “Evil Admin” attack. Which means they rely on someone already having access to the dashboard to execute an attack.
I’m not saying that to minimize the issue or downplay the severity or anything, it’s just a fact. WordPress does a fairly good job of security, but like with any web facing application, programmed in any language, running on any platform. Security is only as good as the person implementing it.
If you have a shit admin, you’ll have shit security.
WordPress’s biggest issue is that it’s too easy for an inexperienced person to set up and operate. Especially with so many VPS providers these days offering 1 click application installation. It requires less and less knowledge to get up and running with a self hosted copy of WordPress.
That coupled with the fact that it’s as popular as it is, means it has a very large target painted on it. Large install base, of insecure installations = bad times.