Yikes:
Nearly 1% of websites built with a content management system (like WordPress or Joomla) are unknowingly exposing their database password to anyone who knows where to look.
As reported by Feross Aboukhadijeh, he created a quick application affectionately called “CMSploit” that scanned the top 200,000 websites as ranked by Qauntcast and found that .011% are completely vulnerable.
One step further, when he eliminated non-CMS sites he discovered that .77% showed publicly-visible config files to the websites database.
Remember, this is just the top 100k sites – which means that not only are you possibly susceptible to this vulnerability but hundreds if not hundreds of thousands of WordPress sites might be leaving their clean (and dirty) laundry out to dry for hackers.
Stop the WordPressin’ right now and make sure you’re not vulnerable. How you know is if you do the following:
Using a text editor to modify content management system (CMS) configuration files (like
wp-config.php
) could expose your database password to the world.
Use a text editor last time you updated your CMS wp-config file? Better double check that existing backup copy of the file that was generated!
Learn more here and thank you kindly Feross for identifying the issue!
7 Comments