Mengxue Ni

There are a lot of factors to consider when thinking about the physical location of data storage. This chart seems to combine three factors; infrastructure, politics, and natural disasters. The problem with an overall score like this is that it is only a good starting place to understand good locations. The real challenge is understanding how infrastructure, politics, and natural disaster risk weighs on the minds of your company’s board. If your company absolutely can’t take any political risks, such as a government peeking into your servers, there are certain countries that may receive very low overall scores for your needs.

Better late than never. This is encouraging to see big companies like PwC finally realizes that cyber security should be an embedded element of their business. With 59% of organizations that participated in PwC’s information survey said they have increased cyber security spending as a result of digitization of their business ecosystem, slowly but surely this will increasingly become a problem against hacking attacks and render attackers’ jobs more difficult.

I wanna share some snippet from Wikipedia regarding how famous is the security breached and vulnerability in WordPress
Many security issues have been uncovered in the software, particularly in 2007, 2008, and 2015. According to Secunia, WordPress in April 2009 had 7 unpatched security advisories (out of 32 total), with a maximum rating of “Less Critical”. Secunia maintains an up-to-date list of WordPress vulnerabilities.

In January 2007, many high-profile search engine optimization (SEO) blogs, as well as many low-profile commercial blogs featuring AdSense, were targeted and attacked with a WordPress exploit. A separate vulnerability on one of the project site’s web servers allowed an attacker to introduce exploitable code in the form of a back door to some downloads of WordPress 2.1.1. The 2.1.2 release addressed this issue; an advisory released at the time advised all users to upgrade immediately.

In May 2007, a study revealed that 98% of WordPress blogs being run were exploitable because they were running outdated and unsupported versions of the software. In part to mitigate this problem, WordPress made updating the software a much easier, “one click” automated process in version 2.7 (released in December 2008). However, the filesystem security settings required to enable the update process can be an additional risk.

In a June 2007 interview, Stefan Esser, the founder of the PHP Security Response Team, spoke critically of WordPress’ security track record, citing problems with the application’s architecture that made it unnecessarily difficult to write code that is secure from SQL injection vulnerabilities, as well as some other problems.

In June 2013, it was found that some of the 50 most downloaded WordPress plugins were vulnerable to common Web attacks such as SQL injection and XSS. A separate inspection of the top-10 e-commerce plugins showed that 7 of them were vulnerable.

In an effort to promote better security, and to streamline the update experience overall, automatic background updates were introduced in WordPress 3.7

Individual installations of WordPress can be protected with security plugins that prevent user enumeration, hide resources and thwart probes. Users can also protect their WordPress installations by taking steps such as keeping all WordPress installation, themes, and plugins updated, using only trusted themes and plugins,[82] editing the site’s .ht-access file to prevent many types of SQL injection attacks and block unauthorized access to sensitive files. It is especially important to keep WordPress plugins updated because would-be hackers can easily list all the plugins a site uses, and then run scans searching for any vulnerabilities against those plugins. If vulnerabilities are found, they may be exploited to allow hackers to upload their own files (such as a PHP Shell script) that collect sensitive information.

Developers can also use tools to analyze potential vulnerabilities, including WPScan, WordPress Auditor and WordPress Sploit Framework developed by 0pc0deFR. These types of tools research known vulnerabilities, such as a CSRF, LFI, RFI, XSS, SQL injection and user enumeration. However, not all vulnerabilities can be detected by tools, so it is advisable to check the code of plugins, themes and other add-ins from other developers.

In March 2015, it was reported by many security experts and SEOs including Search Engine Land that a SEO plugin for WordPress called WordPress SEO by Yoast which is used by more than 14 million users worldwide has a vulnerability which can lead to an exploit where hackers can do a Blind SQL injection.

To fix that issue they immediately introduced a newer version 1.7.4 of the same plugin to avoid any disturbance on web because of the security lapse that the plugin had.

WordPress’ minimum PHP version requirement is PHP 5.2,which was released on January 6, 2006, 10 years ago, and which has been unsupported by the PHP Group and not received any security patches since January 6, 2011, 5 years ago

https://en.wikipedia.org/wiki/WordPress

Mengxue and Vaibhav, thank you for your valuable and informative points about WordPress’ threats. Apparently, WordPress has a lot of work to do and I hope they are paying attention and take this seriously. Major academic and media organizations, including CNN and Temple, use the WordPress platform for their website. You are right Mengxue when you mention that it would be catastrophic if our school falls under WordPress’ victim list. As a recommendation, I would suggest the Content Management System to review in-house enterprise architecture, policies and technology to align itself with the best cyber security capabilities. This is something WordPress should not take lightly as the CMS leading the number of infected websites with 74%.

These password breaches are not just a risk to internal employee credentials, but also a risk to companies that have customer facing websites. With the hacks referenced in these articles, many companies are seeing a rise in brute force password attacks on their sites with hackers attempting to use the same or similar passwords associated with credentials that were hacked.

I think companies should have a responsibility to prevent these brute force attempts (e.g. locking accounts out after a number of invalid attempts and monitoring for abnormal login activity). Anyone else have any thoughts on this?

Link to video does no connect to a video