3 questions: WordPress security
Malwarebytes' Adam Kujawa says Blackhole exploits, ransomware threaten popular platform
By Michael Fitzgerald
January 31, 2013 — CSO —
Adam J. Kujawa is Malware Intelligence Lead at Malwarebytes. He authored the report "Cyberthreats in 2012," highlighting (among other things) security issues with the popular blogging/website platform WordPress.
CSO: What's the big deal with WordPress security—why is this a significant issue now?
Adam Kujawa: You've got fish in a barrel and an upgraded harpoon, in that a lot of people are creating their own blogs and the mass existence of exploit kits like Blackhole.
WordPress is a great exploit platform, because users have lots of control over how their WordPress site is viewed, and using plugins and things like that. But the problem is that users aren't properly securing them. They aren't keeping their passwords difficult enough or resetting them from the default, they're using outdated plugins and a lot of other bad security practices. It makes it very easy to set up drive-by exploits.
What was the worst WordPress exploit you saw?
We saw immense amounts of ransomware. The nightmare scenario would be malware-tisements—malicious ads where you're surfing a legit website, minding your own business, and a legitimate ad has been modified by cyber criminals and allowed to execute code or redirects. Next thing you know this ad shows up and you're redirected to a WordPress site with a drive-by on it and you get infected with ransomware and you're locked out of your computer and you have to pay $300 to get it back. My father got ransomware by this method.
Is it hard to set up WordPress securely?
Adam Kujawa: It's not super hard. If you're not inherently technical, I wouldn't try to set up WordPress. I'd get somebody else to do it. But the biggest targets are the ones that are quickly set up, and don't have a massive amount of traffic. The best advice I have is to find a professional or a hosting company. They might cost a little more but will be worth it if they can securely establish a web presence.
Read more about application security in CSOonline's Application Security section.
Other stories by Michael Fitzgerald