News


We create digital journeys that meet your business goals

Security threat discovered in WordPress

A security threat has been discovered in Wordpress 4.2

Late last night, a zero-day (hole in software) threat was found that allows hackers to insert malicious script into WordPress sites via the comments.

One of the serious issues with WordPress (and other open source software) is, in fact, its vulnerability as a platform in regards to security. Since 2004, there have been 996 software vulnerabilities found on WordPress. Users must manually update their version of WordPress (and many don’t, leaving them open to further attacks), or set their systems to automatically update. And this is only after these vulnerabilities have been discovered and patched. (29/04/15 UPDATE: This only relates to WordPress.org sites, not WordPress.com - the WordPress.com team handles the security, backup, and hosting, much like Core dna).

Last week, Core dna (our content management system, and platform of choice) stopped 1 million threats. It updates all systems automatically and at the same time, so that its users are offered the highest-possible level of protection and security. There is a team that concentrates entirely on Core dna, and they are the only ones who have access to the source code. This sort of controlled environment is a far cry from the open-source software of WordPress, where users all around the world work on the CMS without a true common direction or peer-reviewed code base.

This latest threat affected users of WordPress 4.2 (as well as previous iterations) who have comments enabled. Worldwide, WordPress.org serves as the CMS (content management system) for about 37 million people. While a patch is being worked on, the advice is simply for administrators to disable comments in order to prevent the site being hacked. (UPDATE: A critical security patch has now been released).

The threat means that an attacker could inject JavaScript into a WordPress comment field. When the comment is viewed, the script is triggered under cross-site scripting conditions (XSS). If it’s triggered by an administrator (logged-in), it could mean that admin settings are given to the attacker; or for a general user, they could find themselves exposed to malware or SEO spam. The Finnish company who discovered the threat, Klikki Oy, has stated that they informed WordPress of the vulnerability in November, but were ignored. A patch for a similar WordPress threat was released early this week, but that was for a flaw discovered in early 2014.

While no platform is invulnerable, the facts are that WordPress has revealed two zero threats this week alone, while Core dna has not had a zero threat this year. Isn’t it time that you got peace of mind? Call us on 1300 750 262.