As a WordPress website owner you have definitely thought about the security of your blogs and websites. Most probably you have also read a few articles about WordPress security, or how to secure your WordPress. Though if WordPress security is not your cup of tea, you failed to understand half of the terms used in such documents, hence could not make sense of it all. Don’t fret though.
Below is a glossary of WordPress security terminology and words, that explains them in very simple words for you, to help you better understand those security documents.
Also commonly known as audit log, an audit trail is a security record that is used to keep evidence of a sequence of events. Therefore a WordPress audit trial is a log that can contain information on what the WordPress users did, such as when they logged in and from where, what content they changed, which plugins they installed, activated or upgraded etc. By default WordPress does not keep an audit trail though you can easily start keeping a record of all WordPress changes in an audit trail with a plugin. There are several benefits to keeping a WordPress audit trial and several regulatory compliance requirements such as PCI DSS, which business WordPress websites have to adhere to, require administrators to keep an audit log of all the changes.
In both web and WordPress security, a backdoor is a type of software (malware) that is used by attackers to retain unauthorized access to hacked computers and servers. Typically opened secretly by Trojan or Virus software, a backdoor allows attackers to bypass all form of authentication and control mechanisms. Users are typically tricked into downloading malware when accessing a malware infected website, hence why they end up with backdoors and other type of malware on their computers and servers.
Refer to HTTP Cookie.
Brute Force Attack
Brute force attacks are very invasive and employ a trial and error approach. WordPress websites are typically victims of login brute force attacks. In fact you can find many guides on how to protect your WordPress from brute force attacks. During a WordPress brute force attack, attackers use automated tools to send 100s and 1000s of login requests using a list of random usernames and passwords. The aim is to guess a username and password combination and gain access to the admin pages of the target WordPress website. Brute force attacks against a login page are also commonly known as dictionary attacks.
Refer to Permissions.
Cross-site scripting, also known as XSS is a web application vulnerability that allows attackers to inject malicious client-side script into web pages that are executed by the victims when they visit the vulnerable website. Attackers can use a cross-site scripting vulnerability to target logged in WordPress users and steal their browser or HTTP cookie. Once they steal the victim’s HTTP cookie and import it in their browser, the attackers can hijack the victim’s session.
Once the user session is hijacked the attackers can reset the victim’s password, allowing them to terminate the victim’s session and take control of the vulnerable WordPress blog or website.
An exploit is when the attacker takes advantage of a security vulnerability in order to cause unintended behavior of the software. Therefore as an example, in case of WordPress, when an attacker takes advantage of an SQL Injection vulnerability to read or modify data in the WordPress database, such as changing the users’ passwords, the attacker is exploiting the SQL injection vulnerability.
A firewall is a type of software that is installed between two points, typically the internet and either a network service or a whole network, to protect it from attacks. A firewall is typically associated with protecting networks. In case of websites such as WordPress, a web application firewall is used.
An htaccess file (.htaccess) is an Apache web server directory level configuration file. htaccess files are used to override the general configuration of the web server for a specific directory. htaccess files are commonly used in WordPress for the permalinks configuration and also for several other security and non-security related tasks.
Also known as HTTP cookie, internet cookie, web cookie, or browser cookie, the HTTP cookie is a small amount of data that is sent from the website to your web browser (such as Chrome, Firefox and Internet Explorer) when browsing a website. In WordPress, cookies are used to store user session related data, such as the state of the session (logged in or out) and also other personalized information.
Malware is an umbrella term used in IT security to refer to all forms of malicious and intrusive software such as Trojans, viruses, backdoors, worms, adware etc. Hence “a malware infected WordPress website” means that the WordPress website in question has been hacked and was injected with some sort of malicious software. Typically a malicious website can be used to infect the computers of its visitors and users, allowing the spreading of the infection, hence why it is blocked by Google. You can learn more about Malware from this Wikipedia article.
In IT security, permissions are the consent a user or group of users are given to perform a specific action. In WordPress and user roles, the word Capabilities is used instead of permissions, though they have the same meaning. For example a user with an Author role has the capabilities (or permissions) to create and publish own content.
Permissions are also used in other areas related to WordPress and in IT in general. For example file and directory permissions are used in an operating system to specify what type of access users have on a particular file or directory on the web server or any other type of computer. For more information on file system permissions refer to this Wikipedia article.
Principle of Least Privilege
The principle of least privilege means the process of assigning the least possible privileges to a user or component to complete a particular task. For example if you have a number of guest authors who write and publish articles on your WordPress website, only assign them the Author role. If you assign their users with Editor or Administrator role, they would have more permissions than they need and as such can result in a security issue.
In the WordPress world, privileges are mostly used in relation to the database where data such as posts and user information is stored. Privileges dictate the type of access a database server user has on the WordPress database. For example the user WordPress uses to connect to the database can have access to read and write data only, or can also have access to change the structure of the database, such as creating new tables.
Privilege escalation is a type of vulnerability that when exploited the attacker manages to gain access to resources that are typically restricted to his user or role. For example if a WordPress user with Subscriber role manages to exploit a privilege escalation vulnerability in WordPress, he might be able to do tasks that are typically not possible when a user has a Subscriber role. In WordPress 4.2.3, the WordPress core development team addressed a privilege escalation vulnerability that when exploited allowed a user with Subscriber role to create and edit draft posts, pages and custom post types.
Proof of Concept
In computer security, a Proof of Concept (PoC) is the demonstration of the exploitation of a vulnerability and its impact. PoCs are typically created by security professionals and included in Security Advisories when they identify a zero-day vulnerability in either WordPress, a plugin or a theme. Proof of concepts are used to demonstrate where the security problem is and also highlight the impact such flaw can have.
A document that is published to disclose all the technical details of a zero-day vulnerability. Typically an advisory is published straight after the software vendor releases a security update for the affected software and sometimes it can also include a Proof of Concept. Considering the details available in advisories, which would allow malicious hackers to easily learn about the vulnerability, ideally the advisory should be published at a later date, giving the users enough time to update their software. In fact many security professionals have been quite vocal about the subject of responsible disclosure of vulnerability details and how it can be improved.
Scan (Security Scan)
A security scan is the process of using automated tools to identify security flaws and possible exploitable vulnerabilities on a target. There are several different types of scanning technologies, and the most popular ones are black box and white box scanning. The difference between the two is the approach. In black box scanning the scanner is used to attack the target WordPress from the outside, while in white box scanning the scanner would have access to the code and the internal components of the target, such as a source code analyzer.
In WordPress, security hardening is the process of implementing WordPress hacks in order to make WordPress more secure. For example the processes of renaming the default WordPress admin user, implementing two-factor authentication and applying secure WordPress database privileges are just a few simple, yet effective WordPress hardening changes you can do to improve the security of your WordPress blogs and websites.
Source Code Audit
A source code audit is the process of analyzing the source code of a particular software or web application with the intent of finding functionality bugs, vulnerabilities and other mistakes in the code. A source code audit can be done manually by an experienced developer and can also be done automatically with a source code analyzer. For more information on code audits refer to the Code Audit article on Wikipedia.
This type of vulnerability allows the attacker to inject malicious SQL statements through the vulnerable website. It is typically used to attack database driven web applications such as WordPress to gain unauthorized access to the database and its data.
To exploit an SQL Injection vulnerability the attacker injects malicious SQL statements for the database server to execute through an input field on the website. Such input fields could be the username or password input fields (such as those in the in WordPress login page), all the comments related input fields, search boxes etc. A web application such as WordPress, a WordPress plugin or a theme could be vulnerable to SQL Injection if there is no proper sensitization of the user input.
By exploiting an SQL Injection vulnerability, the attacker can read and possibly write data to the database. Therefore in case of WordPress, by exploiting an SQL Injection the attacker can retrieve the list of WordPress usernames and change their passwords. For a more detailed explanation of the SQL Injection vulnerability read 14 Years of SQL Injection and still the most dangerous vulnerability.
A Trojan is a type of malware that is disguised as legitimate software, and when installed it acts maliciously. For example Trojans are typically used to open a backdoor on the infected computer or server, which allows the attacker to gain unauthorized access to it. Trojans can be distributed from malware infected websites. A common trick that is used to trick victims into installing a Trojan is an antivirus alert when browsing a website, such as the one in the screenshot below…
In both computing and WordPress, a vulnerability is a bug in the system’s security that when exploited allows the attackers to either gain unauthorized access to a system and its data, or hijack a user session. There are two types of vulnerabilities; technical and logical ones. Typically, technical vulnerabilities can be found automatically and are easy to exploit while logical vulnerabilities are difficult to find and exploit. It is important to note that a vulnerability in a WordPress plugin or theme can lead to a full compromise of WordPress or the web server itself, hence why it is important to keep all the components that make up your web server up to date.
Every user on your WordPress website or blog has a role. WordPress has the following built-in roles: Super Admin (used only in a multisite installation), Administrator, Editor, Author, Contributor and Subscriber. A WordPress user with an administrator role can do anything possible on WordPress, such as creating new articles or pages, installing and configuring plugins to add new functionality to the WordPress website, installing or changing a WordPress theme etc. A user with subscriber role can only manage his or her profile.
Some plugins and themes create additional custom WordPress user roles that are used to give permissions to users to complete specific tasks related to the plugin itself. For example if you install a shopping cart plugin, new roles such as Shop Keeper and Data Entry are typically created.
A virus is a type of malware software that is able to replicate itself when executed to infect other hosts. Typically viruses are used to distribute and install Trojans and backdoors which later are used by the attackers to gain access to the infected computer or server.
WordPress Firewall / Web Application Firewall (WAF)
Also known as a web application firewall, a WordPress firewall is a software that analyses all your WordPress incoming traffic. Its role is to identify malicious requests being sent to your WordPress and block them. A WordPress firewall can either be a plugin or an online service.
Zero-Day Vulnerability (0-day)
A zero-day vulnerability is a previously undisclosed vulnerability, of which details are not known by the public. It is called 0-day because once someone knows about the security flaw, the software vendor has zero days available to advise countermeasure procedures, including releasing a security patch. When the details of a zero-day vulnerability are published before the vendor is advised about the security issue, the chances of malicious hackers mass exploiting such vulnerability are very high because owners of the vulnerable software have no way to protect their setup from such attacks…