Tim Flight

One of the RSS subscriptions I read every morning is the Secunia Security Advisories. This list tells me all of the new vulnerabilities discovered in software. Having my own small “hosting company” I keep tabs on all of the software I or my clients install on the server and compare that list to any security advisories Secunia releases.

Today, a popular WordPress Plug-in, WP-Stats appeared on the security advisory list. The vulnerability would allow someone smart and clever to make modifications to your site. That wouldn’t be good.

But this post isn’t about WP-Stats, rather about your own website security. Due to the easy installation and easy operation of WordPress (and many website scripts these days) the average website owner doesn’t pay enough attention to security.

I don’ expect website owners to read every line of code before installing new software for their website. However they should have a sense of where that code is coming from, the security history of the software, and the overall experience level of the programmer.

When you install new software (or even a plugin) to your website you are inviting that programmer into your home (website) and leaving them there to do whatever you would like (execute their code) whenever they want, even when you are not at home. People also innocently make changes to their file system doing things like “chmod 777″ without fully understanding the impact.

In general, WordPress users should be very thankful the programmers have an excellent track record when it comes to security, there are currently no security advisories for WordPress 1.x nor WordPress 2.x.

Other popular CMS systems such as Mambo do not have as clean of a track record. Mambo has had 12 security advisories issued, two of which remain un-patched. Of the two un-patched advisories, one is from February of 2004 and the other goes back to December of 2002.

So what should you do if you are a website operator saying to yourself “Am I secure?” To start, make a list of the software (and version number) you have installed on your website. Any CMS systems, plugins, statistics programs, etc. Also if you use any other programs your hosting company provides like statistics packages, webmail, etc add those to the list.

Then head over to Secunia and find the listing for each of your software packages. Are there any un-patched vulnerabilities? If so how critical are they? Do you need to run any updates to fix known vulnerabilities? Are there un-patched vulnerabilities of software you should disable on your site?

This post does not cover the full scope of website security, rather it should serve as an introduction for people new to researching these issues. Many other factors come into play as well. For example People on shared servers (likely most people) also need to be weary about what software other customers of your hosting company have installed! A combination of another customer running unsecure software and you having “chmod 777″ to a file could spell disaster for you!

This entry was posted on Monday, January 16th, 2006 at 10:15 am and is filed under Computer Technology, Website Development. You can subscribe via RSS 2.0 feed to this post's comments. Both comments and pings are currently closed.