Pundits have made it sound easy to set up and operate WordPress blogs. So much so that law firm technology professionals are now assuming known and unknown risks by running multiple blogs with tens or hundreds of lawyer authors being read by a sophisticated audience.
But operating WordPress sites does have risks. Jeffrey Roman (@gen_sec), writing for Bank Info Security, reports on the latest WordPress security issue which can enable anonymous users to compromise a WordPress site.
We’re not talking a few sites. Nearly 86 percent of all WordPress installations, or about 75 million, are vulnerable to this security flaw.
Nor are security issues effecting only sites dealing with unsophisticated matters. This latest flaw comes just weeks after attackers targeted WordPress sites to install malicious code to intercept up to 800,000 banking credentials.
Jouko Pynnonen of the Finnish IT company Klikki Oy, who discovered this latest flaw, explains how sites are attacked.
Program code injected in comments would be inadvertently executed in the blog administrator’s Web browser when they view the comment. The rogue code could then perform administrative operations by covertly taking over the administrator account.
Those operations include creating a new administrator account, changing the current administrator password and executing attacker-supplied PHP code on the server. This grants the attacker operating system level access on the server hosting WordPress.
JD Sherry (@jdsherry), vice president of technology and solutions at Trend Micro, told Roman why remote code injection vulnerabilities are “extremely concerning.”
…[T]hey can immediately elevate permissions for the attacker to not only gain control of the WordPress application and content, but possibly the entire server.
Of course WordPress is an excellent content management system. WordPress is powering almost 25% of websites in the world. Law firms running WordPress just assume the risk of addressing security flaws.
For example, the latest flaw does not affect sites running WordPress 4.0. But most firms are not yet running 4.0 and cannot easily upgrade to 4.0 because of the numerous plug-ins the firm has incorporated for lawyers over the years.
Another way to avoid the risk from the current flaw includes deactivating, or never having used, the part of WordPress with the vulnerability. In this case, WordPress comments, and going to a comment such as Disqus. Not a trivial correction in the case of multiple blogs on separate installs.
My point is not to discuss technology, security vulnerabilities, and corrective action. I am not a technologist.
My point is that law firms assume known and unknown risks in developing and running their own WordPress operations. Risks in damage to their own blogs, and possibly worse yet, being a host spreading malware to third party sites.
Unfortunately, risks will only increase with more complex sites and the popularity of WordPress for attackers.