9 {{ upvoteCount | shortNum }}
9 {{ upvoteCount | shortNum }}

Fatal Flaw In WordPress Plug ins

by JohnKnight000
7 replies
Hi. Has anyone else experienced this big problem? And what was your solution?

I use WP as my platform so when I purchase plugins for WP and WP does an upgrade, my plugins create a security risk (if they are not updated) that allows hackers to insert their PHP code and sabotage my hard work.

So to all your WP Plug in developers please don't abandon your customers and not provide any more upgrade or support.

Karthik Ramani is probably the only software developer that I trust who has never let me down. I hope others here will not be out for making a fast buck and provide the tech support we are paying for.
#fatal #flaw #ins #plug #wordpress
  • Profile picture of the author Synnuh
    Not all plugins create security risks when WP is updated. I've never had a site hacked and I'm the worst about updating.

    For what it's worth, if a hacker wanted into your WP dashboard, it's not all that difficult -- even if everything is updated.

    In that sense, updating religiously could set you up for more issues than not updating. Hackers thrive on 0 day exploits -- the new ones nobody else knows about.

    Script kiddies that couldn't hack their way out of their mom's house are responsible for exploiting non-updated Wordpress plugins.
    {{ DiscussionBoard.errors[10292493].message }}
    • Profile picture of the author JohnMcCabe
      You can eliminate many security risks before you install the first plug-in. Don't use the Fantastico one-click install, for a start. Set up your database yourself using secure database names and passwords (use a secure password generator).

      If you use the one click install, you get a generic database name based on a formula even the kiddie hackers know (WP is open source). From there it's a simple matter of guessing your password.

      Add some code, or use a security plug-in that limits the number of password attempts.

      Just these steps will eliminate much of the risk. Not because they're impossible to get around; a skilled and determined hacker will find a way. But because there are easier pickings down the road.
      {{ DiscussionBoard.errors[10292519].message }}
  • Profile picture of the author JohnKnight000
    The world of hacking is pretty fascinating. I've always wanted to learn but spent much of my time learning how to play the bass guitar.

    How is it possible to guess a password? I mean I can create a password so complex that it would take billions of guesses.
    {{ DiscussionBoard.errors[10292658].message }}
    • Profile picture of the author JohnMcCabe
      Originally Posted by JohnKnight000 View Post

      The world of hacking is pretty fascinating. I've always wanted to learn but spent much of my time learning how to play the bass guitar.

      How is it possible to guess a password? I mean I can create a password so complex that it would take billions of guesses.
      Exactly. Do the same thing with your database name, and your WP site becomes so difficult to hack that most will simply move on.

      As for guessing a password, try googling "most popular passwords" and "brute force password cracking". It will blow your mind.
      {{ DiscussionBoard.errors[10292662].message }}
    • Profile picture of the author stackman
      Originally Posted by JohnKnight000 View Post

      The world of hacking is pretty fascinating. I've always wanted to learn but spent much of my time learning how to play the bass guitar.

      How is it possible to guess a password? I mean I can create a password so complex that it would take billions of guesses.
      It's amazing how many people use simple guessable passwords, such as "password", "123456789", or a pet's name, or their own name and a birth year.
      {{ DiscussionBoard.errors[10292959].message }}
      • Profile picture of the author JohnMcCabe
        Originally Posted by stackman View Post

        It's amazing how many people use simple guessable passwords, such as "password", "123456789", or a pet's name, or their own name and a birth year.
        One company I worked with had a tech that claimed he could crack any password. We set up a little challenge on an isolated machine. I set the password, and he had 24 hours to crack it. He failed.

        What password did I use? I hit the "Enter" key. Anything he tried would not work.

        I don't recommend using this in the wild, but it was good for a laugh and a free beer after work.
        {{ DiscussionBoard.errors[10293034].message }}
  • Profile picture of the author Synnuh
    Make them complex, that's the point. I used to piss off people who called themselves "hackers" in an effort to get them to show me my own system's flaws. To this day, I still have the AOL/AIM screen name 'ixl' and it's because of the password complexity. Short of getting a virus, people won't be able to get it.

    Your site should be the same way. Without actively provoking known hackers, ofc

    I use 3 main passwords. 1 condensed version with numbers, a capital letter, and a !. The 2nd version is longer, with the same case and exclamation. I can setup new accounts on just about any platform with 1 of the passwords, and I don't have to use something like RoboForm to remember them.

    The last is the strongest, 16 characters, multiple capitals, numbers, and symbols. I've never had it cracked, and have tempted people who I knew were more than capable of getting it to try. I've never seen any resemblance of it in a password dictionary, either.

    Hackers depend on people being lazy, or ignorant to the issue. If you're not lazy with your security, and stay diligent in making sure your sites are updated and only use the plugins that you actually need, they're are going to move onto the next easiest target, as long as it's not personal to them. It's like a car thief or house burglar -- they like unlocked doors unless they specifically want your house.

    As far as cracking a password, there's a variety of ways. The easiest is a key logger on your system. Behind that would be phishing your account and getting you to actually give them the information.

    The last resort would be to brute force your account with a large botnet of virus'd computers, all trying various different passwords from a dictionary of known common passwords. It's a 1% to 2% chance any accounts actually come from brute force attacks, but it's not a method you'd actually want to use on someone's account, or site, if you didn't have to.

    Most script kids will resort to DDoS'ing your server before they'll try to actually break into it.
    {{ DiscussionBoard.errors[10292746].message }}

Trending Topics