3 min read

The unnoticed side of WordPress websites

This article highlights the unnoticed security risks associated with WordPress websites, including data leaks, unprotected API endpoints, and more.

If you got here, propably you had seen a WordPress admin panel, or even made your own website using it. Some time ago there was a pretty popular song made by Ylvis, but for this article I will change it’s title a bit…

“What does the WordPress say”?

Have you ever thought and checked what your site is sending to internet even without your knowledge?

Based on my several years of experience with WordPress and cyber security, I have encountered such threads as:

  1. Data Leaks (Braking GDPR and others too, as often you can find CVs or other doc’s with personal data).
  2. Configuration files (mostly JSON) with credentials and other cool stuff.
  3. Unprotected API endpoints.
  4. TXT files with admin credentials 🤦‍.
  5. Unencrypted backups that includes whole DB, because why not.
  6. SQL dumps in wp-content/uploads (imagine that some people think that nobody can find this if they don’t gave them link to it…)
  7. Misconfigured webserver or PHP interpreter.

But, what does it mean to you?

Let’s summarize probable consequences.

  1. You can have big legal problems as well as the enormous cost, as there are many people who are concerned about the security of their personal information.
  2. Mostly website/server takeover which can end with legal problems.
  3. Bots publishing comments with links, propaganda etc.

Of course there can be another consequences, but I met those 3 most often.

You can ask if I handled any of such incidents.

Yes, I have, and quite a few. And I will share my experience with you with a single short story.

Try to image yourself a company website, middle-sized one in fact. About 200 subpages with many informations, articles and etc. are posted. And you receive an email from a foreign government with links to your website and information that you are sharing lies and propaganda which hits them directly, requesting removal. First tought? Ok, that can be just cheap scam, so let’s analyze that email. After checking, it turned out that the email was real so I checked those links, and yeah, there was some content in this foreign language that no one from the editorial team made. I removed those articles from site and we contacted back. Do you think that this incident is closed now? No way. I checked how it actually happened. This website had one not updated plugin which gave the ability to publish content without authorization.

So… What to do when someone hacked the site?

Let’s make a short list of actions which I will be extending in later articles individually.

  1. Check how they got into it, check logs, search for: vulnerabilities, not updated plugins, publicly accessible files.
  2. Fix & patch vulnerabilities and other problems.
  3. Write down the whole situation! It will help you in building safer stuff in the future and preparing Security Policy or safe standards.
  4. Try to connect with someone more experienced then you. It will help you a lot with securing your website, and you will learn something at the same time.

What tools should you use, how should you do it, and how should you counteract?

These are quite broad topics that I will certainly cover in future publications to give them enough attention, and also not to bore you with such a long article.