The term "Power bloggers" as used in this article will be defined as blogs earning over 4 figures a month or blogs that represent a well-known organisation.
For some time, I have often thought how secure these top blogs are? They are on the frontline and provide some of these individuals their income. If I was bad guy, these blogs would certainly be in my top 10 hit list!
A little while ago, we released the WP Vulnerability Survey. There were some ‘doubtful Tomas’ individuals, so we followed up on this article with The 1000 Blog Vulnerability Assessment to further prove the "real" risks that exist out there!
These tests are not as formal as our previous research, however, interesting nonetheless. We just wanted to see how these big players performed.
Our testing methodology will not include actual security testing as we don’t have the permission of the blogs in question. However, we can still get a good idea of the security level of these blogs via legitimate requests with Google as well as viewing the source of the pages we visit on their blogs. No network level testing was done (i.e. FTP, SMTP etc).
We found the following:
3 out of 5 had obvious vulnerabilities that could potentially be exploited now! Two of these blogs are running a blog version that would make Matt Mullenweg blush and one of them was using an older version of the popular Adsense-Duluxe plugin, which I reported a vulnerability for 6 months ago.
Keep in mind, these results were taken from browsing only. As many of you already know, attackers will not think twice about throwing everything and the kitchen sink at your blog.
So what can we learn from this little excercise?
I think its important when blogging to try and consider all angles. You put all that effort into your blog business and actually start making some $$$ only to find that your domain is owned by a shady hosting provider who is making it extremely difficult for you to expand your services; or to find that your Ads keep getting hijacked or that content keeps going missing off your blog.
We make mistakes and we learn and move forward. Being aware of the risks and a little pre-planning can go a long way in securing our blogs and maximising its long-term potential.
Comments
That’s pretty frightening, especially considering that the 3/5 figure came from just BROWSING!
I cant believe bloggers purposely leave themselves exposed. I assume it comes down to either ignorance or fault?
We all know that a dedicated attacker has a strong chance to get in anywhere, but we definitely don’t want to make it easy and blatantly obvious.
It’s really interesting to see that these powerblogger don’t care about their blog. For sure many of them aren’t too technical to make all updates their self. But they earn enough to let some one do the job. So where’s the problem to let it be done? Maybe they’re frightened that the person who updates their blog could damage it, and therefore would destroy their hard work and so they don’t let it happen.
Phil, yes, I have spoken to people who are afraid to update for fear of breaking something.
As we’ve mentioned before, its worth having a test blog for testing these things out.
-
Search site:
-
Additional WP Resources
