WordPress Riskiest Web Software – Trend Micro

\"WordPress\"I was reading Trend Micro\’s 2010 in Review: Most Dangerous List and I could not help scratch my head.

Majority of the items listed are hugely popular and anyone could argue that there is a correlation between the number of user-base (i.e. popularity) that makes any of these items an easier or more convenient target.

Here\’s the top list summary:

  • Hardware: German identification card reader
  • Website software: WordPress
  • Internet Protocol: IRC
  • OS: Apple Max OS X
  • Website: Google!
  • Social Network: Facebook
  • Top-level domain: .co.cc
  • File format: PDF
  • Runtime environment: Internet Explorer with scripting enabled
  • Infection channel: browser

What caught my attention is the information written about WordPress:

Website software: The riskiest software used by websites in 2010 was the popular blogging platform WordPress. Tens of thousands of unpatched WordPress blogs were used by cybercriminals for various schemes, primarily as part of redirection chains that led to various malware attacks or other blackhat search engine optimization (SEO)-related schemes.

This is misleading on several levels.

First of all, this is like saying Toyota is the riskiest car manufacturer because they assemble the best selling sedan on earth, their owners do not maintain their cars in top condition, use 3rd-party parts and car-nappers use them for their crimes.

Anything outdated and left unmaintained will be susceptible to malware and the risk of server intrusion is more alarming than a specific software attack, which leads to the next point — a web host is a bigger target. What Trend Micro pointed out about redirection chains was primarily due to improper web server configuration and not  by WordPress.

Not only web softwares can be hacked to breach security. My blog was once hacked and I was thankful I noticed it immediately. There were javascripts injected in several directories that I mistakenly left writable to public (CHMOD 777) and it was totally my fault, not the software. Browser exploits could also lead to leakage of sensitive information like username and passwords. Remember FireSheep?

The pain point here is that WordPress along with the installed themes and plug-ins, just like any software available in the world, will be at risk if you neglect one portion of your security perimeter.

Blogging vague information is not the proper way to inform readers what is at stake here because a company that offers security products and services should know better that software security is not one dimensional.

Despite the risks, Trend Micro is still using WordPress blog. Ironic.

Related post tags :
  • Raquel Birky

    Good blog! I truly love how it is easy on my eyes and the data are well written. I’m wondering how I might be notified whenever a new post has been made. I have subscribed to your RSS feed which must do the trick! Have a great day!

  • Elsa

    This program might be just one more poor copy of any other software. Considering all the uncritical reviews of the program I wonder if any of the writes even used the software package.

  • Pingback: - ThreatResearcher ... a blog()

Scroll to Top