Category Archives: Security

Backporting WordPress Security Fixes

by Austin Matzko on May 6, 2008 at 11:14 pm

Alex Schleber so dislikes WordPress 2.5 that he’s worked out how to patch version 2.3.3 with 2.5’s security patches instead of upgrading. It’s an approach I would recommend against. For one thing, there’s a good chance that one won’t recognize all of the patches via changelogs, if for no other reason than that [...]

Also posted in Asides | Tagged , | Be the first to comment

WordPress Attacks Mapped

by Austin Matzko on May 6, 2008 at 8:30 am

Franklin Veaux has diagrammed a network of compromised sites–including the Boston Public Library’s blog–that are geared towards installing viruses. He notes that there has been a surge of attacks recently against compromised WordPress sites, so the lesson is to be sure that you keep your WordPress version up-to-date.
Veaux does link to some of these [...]

Also posted in Asides | Be the first to comment

CSRF Attack on WordPress

by Austin Matzko on February 13, 2008 at 11:47 am

Someone named Ferruh has a proof-of-concept cross-site request forgery (CSRF) attack against WordPress (HT: DK at BlogSecurity). I’ve tried it out successfully on my own version of WordPress 2.3.3.
The scenario is like this: you go to leave a comment on someone’s site, and surreptitiously that (evil) site tricks you into changing your WordPress admin password [...]

Tagged , , | Be the first to comment

Protecting WordPress from SQL Injection Attacks

by Austin Matzko on January 23, 2008 at 1:31 pm

David Kierznowski at BlogSecurity suggests that WordPress is “insecure by design.” What he means is that in general WordPress does not sanitize MySQL queries. He recommends that WordPress provide “a proper set of SQL safe functions (i.e. $wpdb->escape_int and $wpdb->escape_str” and “use mysql_real_escape_string(), and have clearly defined coding standards and security policies” like [...]

Tagged , , | Read the 3 comments