Security warning from eUKHost

  • AndrewRH

    (@andrewrh)


    15 years, 3 months ago

    Just received this security bulletin email from eUKHost (provider of my various sites’ storage). Is WordPress really this dangerous in 3.0.4?

    ~Andrew~

    From: eUKhost LTD [mailto:support@eukhost.com]
    Sent: 04 January 2011 22:22
    To: Andrew Reeves-Hall
    Subject: Security update : WordPress, PHP vulnerabilities.

    Dear Andrew Reeves-Hall (Whitchurch Association),

    While monitoring and auditing the shared server security, our system has detected that WordPress sites are getting compromised due to the vulnerabilities in the themes, plugins and old version applications which are also known for security holes. Most of the attacks are performed using Cross-Site Scripting, malicious files upload and remote code execution techniques.

    We are trying our best to protect all the servers, concern web sites and taking prompt action against those attacker host/IP to disinfect other servers. we recommend you to review your wordpress applications, do upgrade versions to latest stable release and avoid vulnerable plugins/modules installation like:

    * WordPress Automatic Upgrade: which allows any non authenticated user to, generate and to unload the archives of WordPress (including wp-config.php with your data of data base), to activate and to deactivate all plugins, to update the version of WordPress without your authorization
    * OneClick: It is vulnerable CSRF (Cross-site request forgery) it allows you to unload plugins – or malicious code – from any URL.
    * Who Sees Ads: It is vulnerable to CSRF and XSS (Cross-site scripting).
    * MyDashboard: It is vulnerable to CSRF and XSS.

    Also do not enable vulnerable PHP functions [ ie. disabled_functions] using custom php.ini files, do not disable mod_security protection in the .htaccess files and make sure that there is no file/folder which has set maximum permissions. You should choose strong passwords for your Cpanel, FTP account.
    which contains a combination of upper and lower case letters, numbers and special characters such as $?£.#$&@()_+.

    Please refer following URL links to know more about WordPress, PHP vulnerabilities and precaution measures:

    http://www.eukhost.com/forums/f15/how-secure-wordpress-11164/
    http://www.eukhost.com/forums/f42/how-secure-optimize-websites-linux-host-12020/
    http://www.securiteam.com/products/W/Wordpress.html
    http://wordpress.org/tags/vulnerability
    http://www.seoegghead.com/software/wordpress-firewall.seo
    http://blogsecurity.net/

    If you have any doubt or query regarding this, then please contact the technical support department right away. The contact details are as below

    Helpdesk : Please raise a helpdesk ticket from http://support.eukhost.com/index.php?x=&mod_id=4&t=4
    Live-Chat: Please initiate a live-chat request from http://www.eukhost.com/ (Extreme Right Of The Page)
    Email: Please email support@eukhost.com
    Phone : Please call our toll-free number 0808 262 0455
    International : +44 191 303 8191

    We thank you for your patience and co-operation. It is immensely appreciated.

    Regards,
    The Support Team.
    http://eukhost.com

The topic ‘Security warning from eUKHost’ is closed to new replies.