Do these programs have the "shifting shit" problem? You know when you have to upgrade to fix bugs and vulnerabilities, but the muppets in charge of design have broken so many plugins and APIs with little regard to reverse-compatibility that many folk simply give up and leave it and try to ignore the risk.
Many of the UK's biggest firms are running outdated versions of their Drupal and Wordpress Content Management Systems (CMSes). Threat management company RiskIQ conducted research across the top 30 organisations in the UK (FTSE-30), looking specifically at Wordpress and Drupal instances visible on the open web. At least three …
Wednesday 1st June 2016 17:05 GMT Hans Neeson-Bumpsadese
Wednesday 1st June 2016 17:46 GMT Dadmin
Not really. Consider the number of employees at the Footsie 30 companies, and the number of front-facing departments with a need to interact with the outside world for this or that an average of only 35 per seems reasonable. Their intranets will have even more sites, and without a caretaker for the CMS versions, or a design methodology that centralizes the content, they can slip behind versions pretty quickly. And that leaves known holes open. Plus these may have lots of static content, so there's probably a very real "setup and forget" mentality and accompanying small budget. "Why would anyone break into our <online thing>? No one would, it's not a target, so we need take no action." And they do, so here we are again. Doing nothing about security is what most enterprises do best, and that's good sport for the malwarevians.
Wednesday 1st June 2016 18:14 GMT wolfetone
Why is anyone surprised? The only time websites are a concern to most companies (excluding e-commerce sites, obviously) are when they go down. And if they get hacked, their PR company has the generic "We were the victims of a sophisticated attack" and "We take customer data security very seriously".
I'm sure now that most companies with websites view the liabilities with them like Ford did with the Pinto.
Wednesday 1st June 2016 18:41 GMT fidodogbreath
Challenge to keep up to date
I have a small personal WordPress site that (like most sites) is constantly under attack. Like many IT types, I had no experience with WP; and since I don't log into the site very often, things kept getting out of date. Here's my trial-and error-tested recipe for keeping WP up to date and secure:
* Install WordFence. I put this first because it's key to protecting a site that IT doesn't manage. In addition to its many security features, WF (even the free version) scans the site daily for out of date plug-ins, and sends an email when something needs an update. Beyond awesome.
* Enable automatic WP updates. Maybe I'm just lucky, but I've never had a problem with them.
* Use a stock WP theme, with a child theme for customizations (404 page, footers, etc). The stock themes are well-maintained by the WP devs, and using a child theme means that you can install updates without breaking your tweaks.
* Stick with highly popular, well-maintained plugins: WordFence, Updraft Plus (backup), Yoast (SEO), etc. They're always updated as soon as a new WordPress version is released.
* Disable comments and account creation. Unless the core purpose of the site is to converse and interact, comments are way more trouble than they're worth. As are most people, for that matter, but maybe that's just me.
And, of course, the "eat your veggies" stuff:
* Turn off / disable / uninstall every feature or plugin that you don't need for operation.
* Delete the default admin account, and create a new one with a long username -- which does not contain any variant of "admin" or the site name -- and a long, random password.
* Use a good hosting company that keeps their boxen up to date.
Even Marketing can run a secure WordPress site if they follow those tips.
Wednesday 1st June 2016 23:02 GMT Seriouscyrus
Re: Challenge to keep up to date
I've found the wp updates to be pretty reliable too.
I really wanted facilities to comment on mine, but i sure as hell don't want to look after random signups and user accounts, so i plugged in disqus which seems to work well and takes away much of the responsibility.
Thursday 2nd June 2016 07:27 GMT Richard Lloyd
Wordfence and readme.html
Wordfence is a useful plugin, though I really don't like the fact that it renames readme.html to readme<long_hex_string>.html at the top level of your WP site by default, in the name of "security through obscurity" (the file has the WP version number in it). The snag is that readme.html is a *core* WP file (involved in the core checksumming routines used by WP-CLI amongst others) and no plugin should ever modify/rename/delete a core file. I've posted up to the Wordfence forums about it, but can't convince the devs to make the default not to "Hide WordPress version"...
Wednesday 1st June 2016 19:02 GMT Greg J Preece
It wouldn't surprise me if my Drupal site was vulnerable on any given day. There seems to be a patch every 5 minutes. Every time I log into the control panel it's yelling at me about something. Here, let's try right now....
Yup, new patch version of Drupal core. Admittedly, Drupal updates have gotten way easier over the years. Non-core modules can be updated with a couple of clicks, and core stuff can be done through drush with minimal pain.
Thursday 2nd June 2016 19:53 GMT Anonymous Coward
Sorry, but that is utter, utter tosh
Honestly, if someone has been running a public facing webserver anywhere NEAR the network segment where such critical and sensitive data was being stored they really deserve all the legal trouble they get.
The closest a public facing webserver should ever get to your data is via a pinhole from a DMZ, and even then you have to think twice about what you allow it to see.
Such data is vital enough to require its own controlled subnet. Breaching a public resource should have made no difference whatsoever.