Recommended site for WordPress security
2007-07-19Lately this site, blogsecurity.net, caught my attention. Although a new site, it has already done a really good job disclosing and discussing new vulnerabilites in WordPress, be it serious or not.
One of the most important stuff is its WordPress Scanner, which used to be a downloadable script, but now this thing is available on web only. It tries to scan your WordPress blog, and discover its version, plugins used, and whether it is vulnerable to XSS attack. (Thanks to this scanner, I have fixed some of the problems in my own blog.)
And it is not holding back new WordPress holes from disclosure — for example, a new article yesterday showed how to perform enumeration on WordPress installation by brute force, so that valid usernames can be found, as a stepping stone on obtaining username / password. And everybody is using the default ‘admin’ username, right?
The share of XSS vulnerabilities would not be omitted. Just counting post-2.2.1 ones, there are at least 2:
- wp-login.php cross domain redirection
http://legitimate.com/wordpress/wp-login.php?redirect_to=http://evil.com
- wp-pass.php redirection
http://vulnerable.blog/wordpress/wp-pass.php?_wp_http_referer=http://evil.com
Here is a good quote from one of them:
WordPress have apparently said they will resolve this vulnerability in v2.2.2.
And indeed, none of which is fixed in WordPress source code repository at all as of now. (2 weeks after the latter vulnerability is disclosed, that is) And there is no apparent schedule for 2.2.2.
Overall, this site provides a good reading for those who care about their WordPress’ safety.
RSS
Hey try it once you install the AskApache Password Protect Plugin… adds some serious password protection to your wp-admin directory.
@ http://www.askapache.com/wordpress/htaccess-password-protect.html
Thanks for the pointer, though I have already done that manually. However some of the laxed file/dir permissions introduced by this plugin makes me worry though.