110,000 Wordpress Databases Exposed

For years now I've been writing my various blog posts and I have used many different kinds of CMS platforms right back to posting using VI back in the 90s. My favourite platform that I've used to create content has been Wordpress by far. I can almost here the security folks cringe. Yes, it is a massive headache to lockdown. But, I fight on as the user experience makes the pain worthwhile.

OK, maybe worthwhile isn't the correct word.

This is a platform that has had a long history of security issues. As an example, a quick search on Secunia reveals 939 vulnerabilities for Wordpress. As well, a search on OSVDB returned 2325 results. Now, to be fair this includes plugins and themes in addition to the core software.

That being said, ouch.

One of the problems with Wordpress is that it is very easy to set up. So easy in fact that most users are oblivious to the need to lock the installation down. The bugger of it is making it secure. Case in point with Steve Ragan's article this morning about the Wordpress DDoS issues due to platform configuration issues with pingback.  At times this can seem more of a black art to most users. A quick and simple Google search underlies the problem with people using a platform like Wordpress. I found 111,000 sites that were exposing their database backups to the Internet. This includes all manner of websites from independent music sites to doctor offices and even some government websites. 

Here's an example database dump as indexed in Google. Any offending information has been redacted.

This is one of over 110,000 databases. Are the passwords hashed? Yes, for the most part. Would this be considered hacking? By some, yes. That troubles me greatly.

These are sites that have exposed themselves completely and have their databases indexed in search engines. I can only imagine the horde of angry villagers that would show up at my doorstep with pitchforks and torches if I named the sites specifically. Which I won't do. 

Short story, check your Wordpress site for exposures. If you are in fact running local backups at least put a control in place to block access to them like the plugins from Wordfence or Sucuri.

Also, test your site to look for exposures. A handy tool that is available as a standalone application or available in the Kali distribution is called WPScan. This is a purpose build Wordpress security scanning tool that can help you find issues before someone pops your site.

Practice safe blogging.

(Image used under CC from Nikolay Bachiyski)

New! Download the State of Cybercrime 2017 report