It seems like everyone is blogging. In a recent TV commercial, they even use blogging as a way for a guy to get a girl to go to his apartment.
Yes blogging is mainstream.
Of the more popular blogging software, WordPress has to be near the top if not sitting pretty perched atop the ladder of blogging software available.
As of this writing, WordPress claims 4,442,799 blogs.
Blogging has been determined to be a great strategy for developing community among potential and current customers. It’s been the cornerstone of developing good content which we all know ranks very high with the search engines.
If you want to alert all of your customers to some security patch – you post it in your blog. WordPress blog software allows you to customize your service with a variety of plugins.
A scan of WordPress plugins currently shows 2,360,000 SERPs.
WordPress made their software "open" so that many people could create plugins that offer a multitude of services. Some are admin oriented, others are strictly user benefits.
There are WordPress plugins for searching and fighting SPAM and showing the weather. There are WordPress navigation plugins, WordPress form plugins, WordPress post plugins, WordPress video plugins and WordPress tag plugins. Everyday new WordPress plugins are released.
Some of the plugins like “The All In One SEO” plugin or the “WP Security Scan” plugin are considered by many to be mandatory. Others allow your subscribers to include YouTube videos in their posts, or smilies or any number of little inconsequential items all designed to make your blog more friendly.
With over 4 million WordPress blogs, if you were a cybercriminal, wouldn’t you consider writing some cool WordPress plugin and hide some obfuscated code that would automatically try to silently infect every visitor’s computer?
Sounds possible doesn’t it?
The thing is, how would you know?
How would you know if a plugin you’re installing on your blog is legitimate or not?
Before you go thinking I’m some kind of paranoid idiot, hear me out. Then at least you can make an educated decision on whether you still think I'm a paranoid idiot or someone who knows their stuff.
Maybe you weren’t one of the many blog owners that got “hacked” back in early June or late May of 2008, but I can tell you, there were a lot of blog owners complaining about having their sites hacked. If you’re one of the blog owners that relies on income or leads from your blog, then that time period hit you hard. You may have even received one of these labels from Google, “This site may harm your computer.”
So why would it be such a leap of faith to think that hackers wouldn’t go after plugins?
You know that hackers or cybercriminals know how to create tools that can automatically post to thousands of forums. They’ve even found ways of beating captcha’s. If they wanted to talk up some new WordPress navigation plugin, it would be extremely easy for them.
Maybe the person who wrote the plugin didn’t have malicious intent but maybe they just weren’t aware of safe programming techniques. Maybe they had a great idea for a plugin and learned just enough to create it according to the guidelines of WordPress.
Do you ever review the PHP code of a new plugin?
Or do you just decide to trust the author of the plugin?
You should have the code reviewed before installing it on your blog. See if someone you know, knows PHP and have them review the code. The source you turn to for this should have knowledge of safe programming techniques. The reason so many sites have vulnerabilities is that there are so many programmers that can program, but they don’t know or don’t follow safe programming techniques.
Things to look for are any database calls especially ones that operate on data input by the user. This input needs to be sanitized. Be sure there is program code to only allow valid data to be input. Otherwise, you’ll be open to SQL Injection and that’s real bad.
Check out all of the include statements. Make certain that you have all of the include files and that none of them are being included from a remote site.
Examine the PHP code and look for any “GET” statements especially ones that are accessing a remote site. If you’re not familiar with that remote site you may want to have the code professionally reviewed.
Another item you should check before installing a plugin is that it is still supported. We’ve found many plugins where the author hasn’t updated it in over a year. Now maybe, just maybe, the plugin didn’t need any updates. However, it could also mean that the plugin has been abandoned.
If you were a hacker, wouldn’t you look for an abandoned plugin, take it over and update it so that everyone who updates is automatically delivering your malicious code? Makes sense doesn’t it?
Hackers are always looking for covert, socially engineered, methods to infect as many people as they possibly can. If you have a site, blog or forum that gets even a fair amount of traffic, you’d better believe the hackers and cybercriminals are looking at your site.
You need to be at least one step ahead of them.
We strongly recommend using the WP Security Scan plugin. We’ve found it to be clean and extremely useful. Our other recommendations all depend on what platform your blog is hosted on: Linux or Windows and whether you’re on a dedicated server or a shared server.
If you’d like our recommendations send us an email to: wpsecurity@wewatchyourwebsite.com. Please include your operating system, version of WordPress and whether you’re on a dedicated or shared server.
At WeWatchYourWebsite.com we use a multitude of PHP and Javascript scanners. Some of them are better at detecting certain vulnerabilities than the others so we decided to use a variety, combine the results and let you know whether a plugin or your PHP code is safe or not. This service is offered to our clients in addition to our other services.
If you’re interested in becoming a client click here.
Thank you for your interest