WordPress and VBulletin Security Threats As Researched By Sucuri

Potential Stolen Credit Card Risk To WordPress Vbulletin and Shopping Cart Plugins Cause Trouble

Tony Perez, over at Sucuri.com posted a must read for anyone using WordPress with Vbulletin and any type of shopping cart plugin, such as Woo Commerce.

http://blog.sucuri.net/2013/11/stealing-credit-cards-a-wordpress-and-vbulletin-hack.html

This article covers an actual recent hacking event that they had to trouble shoot for a client. The potential for loss was considerable and could have been considerably greater then it was.

Below is an excerpt of this article:

By  on November 28, 2013

 

What better way to celebrate Thanksgiving than to share an interesting case that involves two of the most popular CMS applications out there – vBulletin and WordPress.

Here is a real case that we just worked on this week, involving an attacker dead set on stealing credit card information. Enjoy!

 

The Environment

 

The client runs a fairly successful e-commerce website. They run two main applications within their architecture – vBulletin and WordPress.

 

vBulletin is used for their support and collaboration forums, while WordPress for their main website and e-commerce. This appears to be a pretty standard configuration across most larger web application environments these days.

 

Everything is sitting on a LAMP (Linux / Apache / MySQL / PHP) stack, so nothing too special there. For the most part, things are up to date, they might be a version or two behind, but none of it earth shattering or something worth writing home about.

 

In regards to security, they are running CloudFlare.

 

All in all, it probably sounds a lot like your environment[s].

 

Synopsis – Stealing Credit Cards

Anyone not using these plugins should still take note of the files being attacked such as the WordPress core admin files. You should always take measures to protect these files and your access points to them.

Please note this key point within Tony’s post:

It appears that the attacker did not need to get fancy with their attack.

 

There were no secret zero day vulnerability exploited or server level weakness that granted the attacker access to the site.

 

Instead, the attacker was able to leverage existing credentials for a power user that allowed them to log into their forums as a privileged user.

Nothing hurts worse then having a site “hacked” simply because someone you allowed access to does not follow the same set of security measures that you yourself might. If you have users who are allowed to access higher levels of function, such as admins and editors, then make sure they know how security conscious you are and what they need to measures they must follow to keep your blog secure.

DO NOT ASSUME YOUR USERS HAVE YOUR SECURITY IN MIND.

Tony goes on to suggest several key factors for WordPress site security that anyone can implement.

Great job Tony and thanks for such a well done post.