CSO - Adam J. Kujawa is Malware Intelligence Lead at Malwarebytes. He authored the report "Cyberthreats in 2012," highlighting (among other things) security issues with the popular blogging/website platform WordPress.
CSO: What's the big deal with WordPress security--why is this a significant issue now?
Adam Kujawa: You've got fish in a barrel and an upgraded harpoon, in that a lot of people are creating their own blogs and the mass existence of exploit kits like Blackhole.
WordPress is a great exploit platform, because users have lots of control over how their WordPress site is viewed, and using plugins and things like that. But the problem is that users aren't properly securing them. They aren't keeping their passwords difficult enough or resetting them from the default, they're using outdated plugins and a lot of other bad security practices. It makes it very easy to set up drive-by exploits.
What was the worst WordPress exploit you saw?
We saw immense amounts of ransomware. The nightmare scenario would be malware-tisements--malicious ads where you're surfing a legit website, minding your own business, and a legitimate ad has been modified by cyber criminals and allowed to execute code or redirects. Next thing you know this ad shows up and you're redirected to a WordPress site with a drive-by on it and you get infected with ransomware and you're locked out of your computer and you have to pay $300 to get it back. My father got ransomware by this method.
Is it hard to set up WordPress securely?
Adam Kujawa: It's not super hard. If you're not inherently technical, I wouldn't try to set up WordPress. I'd get somebody else to do it. But the biggest targets are the ones that are quickly set up, and don't have a massive amount of traffic. The best advice I have is to find a professional or a hosting company. They might cost a little more but will be worth it if they can securely establish a web presence.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts