" wordpress Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more

Posts Tagged ‘wordpress’

Does WordPress’s Security Patch Make It Suitable for Healthcare?

Thursday, January 24th, 2019

WordPress had a busy December, releasing one of its largest updates in recent times, WordPress 5.0. To everyone’s dismay, the update also included seven vulnerabilities that affected the platform in a range of different ways.

The development team kicked into overdrive and released a patch to address the issues the following week, just ahead of the Christmas period. The known flaws may have been addressed, but one question remains: Is WordPress a suitable content management system when it comes to HIPAA-compliance?

Which Vulnerabilities Were Discovered & Patched?

The new WordPress vulnerabilities were found in a number of different areas. Some of them were pretty serious, with the potential to reveal the login details of certain users. Others were less significant but still needed to be patched. The vulnerabilities fell into the following classes:

Credential Exposure

A vulnerability was found by Yoast which could lead to email addresses and even passwords being exposed. It allowed search engines to index the user activation screen. This could result in email addresses being leaked. In certain cases, the vulnerability could also expose passwords if they had not been changed from the default.

This flaw was addressed by WordPress in the update. Developers took the activation key that was used in the URL and stored it in a cookie to prevent the attack from continuing to work.

Wordpress Security


A security researcher found that specially-tailored inputs could be used to create unauthorized post types. This bug required an attacker to have author-level privileges, so it was unlikely to be abused on a wide scale.

Another researcher discovered a separate flaw that allowed author-level users to change metadata. This could be used to delete files, even if the user wasn’t authorized to. This problem arose from two arbitrary file delete flaws that were first addressed in WordPress 4.9.6.

This initial fix restricted the file paths to the uploads directory, changing how files could be deleted. Despite this, it failed to address the fact that authors could delete the attachments of other users by changing the attachment paths to arbitrary files. Update 5.0.1 has now rectified the issue.


PHP Object Injection

Another vulnerability used carefully-crafted metadata for PHP object injection. It allowed those with author-level privileges to change attachment paths to arbitrary files. Attackers could use PHAR files for object injection into attachments that had already been uploaded.


Several different XSS flaws were discovered by Tim Coen, one of which was detected alongside a security researcher who goes by the name of slavco. Together, they found that those with author-level privileges could upload tailored files to get around MIME verification, but only on Apache-hosted websites.

Another XSS vulnerability discovered by Coen involved crafting URL inputs. It doesn’t affect WordPress core, but can impact certain plugins that use the wpmu_admin_do_redirect function. Coen’s final XSS vulnerability allowed contributors to edit comments from privileged users. All of these flaws were addressed in the latest patch.

WordPress Security & HIPAA Compliance

The security update was a positive step for the safety of WordPress websites, but it’s far from a complete solution to the CMS’s security issues. One of the main problems is that WordPress isn’t really a complete package, especially from a security perspective.

It relies on third-party plugins that come from a wide variety of developers, many of which have very questionable security. There are tens of thousands of different plugins available, with a very limited vetting process in place. Some of these plugins are well-regarded and frequently updated, while others are riddled with flaws.

WordPress-related vulnerabilities were up 300% in 2018, but only 2% were in the platform itself, the rest were found in plugins. This is why it’s critical to only use plugins that come from well-regarded developers that are committed to providing patches whenever security issues are discovered.

WordPress websites generally use a variety of plugins for custom features, but plugins should also be used to complement WordPress’s security. Monitoring and auditing plugins are some of the most important ones for keeping websites safe. They are useful for malware scanning, tracking failed-login attempts, taking logs and much more.

Plugins are an almost essential part of using WordPress to manage your website. Since you don’t sign a business associate agreement with the vendors of any plugins you may use, this exposes your organization to greater HIPAA-compliance risks. If a vulnerability in one your plugins results in your business’s ePHI being compromised, your company could be liable for the consequences.

Most plugins aren’t designed with the stringency of HIPAA in mind, so you may find that using them substantially increases your risks. WordPress and its varying plugins may still be the best option for your site’s needs, but you need to at least be aware of the risks that come with their use.

To find out more about WordPress and plugin security, download LuxSci’s free ebook. It has everything you need to know about keeping your WordPress website secure.


WordPress & HIPAA – can these coexist?

Monday, October 23rd, 2017
For a deep dive, see our white paper: Securing WordPress

As we discussed in an earlier post, WordPress, despite its vulnerabilities, is the world’s most popular content management system for both blogging and creating web sites.  It is popular because it is quick to set up, easy to administer, with a very large choice of plugins for add-on functionality, and themes for making the sites look good.  As a result, many LuxSci customers use WordPress in one fashion or another for their web sites hosted at LuxSci.

As LuxSci caters to a large segment of customers who have specific compliance needs, specifically HIPAA compliance, we are frequently asked about using WordPress in a medical provider setting. Given the information about WordPress vulnerabilities, the question usually asked is whether a site created using WordPress can secure access to electronic protected health information (ePHI) in a way that meets the requirements of the HIPAA-HITECH regulations.

WordPress for HIPAA-compliant sites?

Such questions are reasonable because although WordPress has many great features that make it quick and easy to get a web site running, it is still a third-party tool which is not specifically designed to conform to HIPAA standards. When using any third-party software, you should be aware of the associated risks that are out of your control. Vulnerabilities in WordPress can disrupt your site’s availability, perhaps even lead to a breach of protected and private information. Even if it is the WordPress software that’s at fault, the responsibility for any security lapses still falls on the site owner.

However, it is not all doom and gloom. The short answer to the question posed in the title of this post is “yes”. It is possible with care to build a site with WordPress (including plugins and themes) that is secured in a way that meets the requirements of the HIPAA security rules. The remainder of this post will discuss how this might be achieved.

Read the rest of this post »

Securing WordPress sites

Tuesday, October 17th, 2017
For a deep dive, see our white paper: Securing WordPress

We have written posts describing WordPress vulnerabilities and the methods hackers use to exploit these. In this post, we describe steps by which a web site owner can mitigate the risks of using WordPress as a content management system. After all, it cannot be denied that WordPress remains the most user-friendly tool for creating and managing both large and small websites, as shown by its enormous adoption rate.

Making WordPress Secure

There is a very rich literature describing WordPress vulnerabilities and ways to harden a system against exploits. Here we distill some of these learnings into a practical guide for WordPress-based web site owners. We specifically have in mind small to medium-sized medical practices that wish to use WordPress to create (or maintain) their online portal for patients. In a future post, we’ll describe how such steps can meet HIPAA-HITECH guidelines for safeguarding electronic protected health information (ePHI).

We describe these steps in a layered way – starting at the bottom with the hosting server infrastructure, before moving to the WordPress platform itself and other applications.

Read the rest of this post »

WordPress as a launching pad for malicious attacks

Wednesday, October 4th, 2017
For a deep dive, see our white paper: Securing WordPress

In our previous post, we described various techniques used to attack WordPress-based sites. In this post, we’ll give some examples of what happens after the vulnerabilities have been exploited to hack into a website. The purpose is to continue to reiterate the lessons that blogs such as ours (see here, here and here) provide to alert the medical industry, specifically, and business, in general, to security issues that can lead to breaches and loss of business, reputation, and income.

It is worth recalling that WordPress is the world’s most popular content management system (CMS) powering ~60% of websites worldwide (that are known to use a CMS), and ~29% of all web sites. While it is hard to find the statistics on how many websites related to the medical industry use WordPress, it is likely that these could well be a substantial percentage of the total given the ease of setup and use associated with WordPress. The fact that many of these are smaller sites, often without much IT support (much less security support) makes them all the more vulnerable. This makes education about the security aspects of WordPress all the more necessary.

WordPress is a launching page for malicious attacks

Despite the valiant efforts of the WordPress organization, vulnerabilities continue to exist and most exploits take advantage of the simplest techniques – infrequent updates of critical software, poor web site hygiene (easily broken passwords, retaining default options, turning off auto updates, etc.) and the use of vulnerable WordPress plugins and themes. (Hereafter, we also include plugins and themes when we talk of WordPress vulnerabilities, unless we need to specifically distinguish between these.) Sucuri.net, a website security company, noted that of the 11,485 infected websites that they analyzed in 1Q2016, 78% of these were built on WordPress of which ~56% were out-of-date (i.e., not running the latest version). The vulnerabilities were primarily in the plugins and themes.

Read the rest of this post »

WordPress: Massively Popular and a Big Target for Attackers

Wednesday, September 27th, 2017
For a deep dive, see our white paper: Securing WordPress

WordPress is the world’s most popular publishing platform, with a strong emphasis on usability and support of open web standards. It powers most of the largest content providers as well as millions of personal blogs. Its open source software, available at WordPress.org, can be downloaded to a suitable server and run as a standalone publishing platform, while ordinary users can quickly create personal sites as sub-domains of WordPress.com.

There’s no doubt that the statistics about WordPress are impressive: ~30% of the million most visited sites on the Internet run WordPress; at 52%, it far surpasses its nearest competitor (at a measly 6.3%) for the largest market share of content management systems; it powers 96% of blogging websites worldwide – we could go on and on, but we refer the reader to other sources for more numbers.

Wordpress is a massive target for hackers

But with such numbers come vulnerabilities. Its popularity makes it a conspicuous target for hackers. Not all hacking is in search of personal data or immediate financial gain. WordPress attacks serve as a fertile finishing school for hackers-to-be as well as provide access to resources that can be used for launching other types of attacks, such as search engine optimizations, ad injections, affiliate links, botnet attacks, etc. Consider some examples:

Read the rest of this post »