Matthew Pavkov Web Development
Development / Design / Wordpress

Wordpress Attack Types

Wordpress Firewall 2 is a security firewall plugin for Wordpress. It was originally developed by SEO Egghead, and has been revamped by me. The content below relates to potential Wordpress attacks, what the attacks are, how they work, and what Wordpress Firewall 2 does to help prevent them.

Directory Traversal

Read the Wikipedia article on directory traversal.

A directory traversal (or path traversal) is to exploit insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" (using ../ in many cases) are passed through to the file APIs. By default, all references to the above values (and some similar ones) are blocked unless otherwise whitelisted (unblocked).

SQL Injection

Read the Wikipedia article on SQL injection.

SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. By using certain words or commands (SELECT *, UNION SELECT, etc.), control or access of the database may be obtained. By default, all references to the above values (and similar ones) are blocked unless otherwise whitelisted. Certain Wordpress-specific default whitelists are made so that a post about SQL injection would not trip a false alarm.

Wordpress-Specific SQL Injection

Read the Wikipedia article on SQL injection.

SQL injections attacks could also be carried out, not just by using SQL keywords/phrases (as stated above), but also by using Wordpress-specific functions, phrases, etc., which access and/or modify the database. By default, all references to the above values (and some similar ones) are blocked unless otherwise whitelisted. Certain Wordpress-specific default whitelists are made so that a post about SQL injection would not trip a false alarm.

Executable File Upload

Normally, executable files (.exe, .php, .pl, etc.) should not be uploaded to the server (a common exception would be the installation of a Wordpress theme or plugin). An attacker could find a vulnerability in an application (Wordpress) and upload an executable file. From this point, the executable file could be accessed via HTTP, and executed. The file could contain code which would grant access to protected systems and so forth. Since it's not common to upload these file types, such files are entirely rejected unless otherwise whitelisted.

Field Truncation

Read the SEC Geeks article on field truncation.

From SEO Egghead: “This attack generally sends a series of whitespace characters or a NULL character to alter or duplicate the value of a parameter. NULLs are generally used to delete the remainder of a string — so SOME + NULL + THING becomes "SOME," and "THING" is lost or ignored. Whitespace is generally used to duplicate a value in a database or validation check where whitespace is ignored and the duplicate is therefore inserted.”

Remote File Execution

Read the Wikipedia article on remote file execution.

Remote File Inclusion (RFI) (which then immediately leads to the execution of said file) is a type of vulnerability most often found on websites, it allows an attacker to include a remote file usually through a script on the web server. XSS (Cross Site Scripting) attacks are one type of attack that can be carried out through remote file execution. Unfortunately, this security-filter may set off false alarms without proper maintenance (many legitimate Wordpress plugins can trip this alarm), so it is defaulted to off.

Protect Yourself

It's always a good idea to know what you're up against and what you can do about it. Here are a few places to start learning about Wordpress security, vulnerabilities, and how to protect yourself.

Hardening Wordpress can help prevent attacks from ever happening.
Current Wordpress vulnerabilities to keep you updated on flaws, etc.
An article by someone who was hacked, what he did to fix it, and what he learned.



Use the form below to contact me.


Portfolio
Wordpress Plugins
Wordpress Themes
Photography