WordPress security can be intimating, especially if it is not your cup of tea. There are quite a few plugins to choose from and when you read a security article you cannot understand half of the terms used. If this sounds familiar this glossary is for you. It is a collection of WordPress security terminology and words, that explains what they are in very simple words.
Table of Contents
Activity Log / Audit Trail
Brute Force Attack
Denial of Service
Fuzzer / Fuzzing
Principle of Least Privilege
Proof of Concept
Spam (email spam)
Source Code Audit
WordPress Firewall / Web Application Firewall (WAF)
Audit Trail / Activity Log
Also commonly known as audit log or WordPress activity log, an audit trail is a security record that is used to keep evidence of a sequence of events. Therefore a WordPress audit trial is a log that can contain information on what the WordPress users did, such as when they logged in and from where, what content they changed, which plugins they installed, activated or upgraded etc. By default WordPress does not keep an audit trail though you can easily start keeping a record of all WordPress changes in an audit trail with a plugin. There are several benefits to keeping a WordPress audit trial and several regulatory compliance requirements such as PCI DSS, which business WordPress websites have to adhere to, require administrators to keep an audit log of all the changes.
The process of confirming that something is true. In WordPress authentication is used to authenticate users when trying to access the admin pages. The process involves requesting the user a username and password. If the combination of both does not match, the user is not authenticated, thus cannot access the admin pages.
The function of giving someone the permission to something or do something. For example in WordPress you authorize a user with the role of author to view the WordPress audit trail, which by default is restricted to users with the administrator role only.
In both web and WordPress security, a backdoor is a type of software (malware) that is used by attackers to retain unauthorized access to hacked computers and servers. Typically opened secretly by Trojan or Virus software, a backdoor allows attackers to bypass all form of authentication and control mechanisms. Users are typically tricked into downloading malware when accessing a malware infected website, hence why they end up with backdoors and other type of malware on their computers and servers.
In IT and WordPress security a blacklist refers to a list of non trusted sources or objects. For example if you would like to block a number of IP address from accessing your website you can use the blacklist approach; allow everybody to access your website and only block the offending IP addresses. While in some cases you have no other option but to use the blacklist approach, where possible (especially when configuring a server or software) use the whitelist approach instead. Whitelisting is typically much easier to manage and keep up to date.
Refer to HTTP Cookie.
Brute Force Attack
Brute force attacks are very invasive and employ a trial and error approach. WordPress websites are typically victims of login brute force attacks. In fact you can find many guides on how to protect your WordPress from brute force attacks. During a WordPress brute force attack, attackers use automated tools to send 100s and 1000s of login requests using a list of random usernames and passwords. The aim is to guess a username and password combination and gain access to the admin pages of the target WordPress website. Brute force attacks against a login page are also commonly known as dictionary attacks.
Refer to Permissions.
Cross-site scripting, also known as XSS is a web application vulnerability that allows attackers to inject malicious client-side script into web pages that are executed by the victims when they visit the vulnerable website. Attackers can use a cross-site scripting vulnerability to target logged in WordPress users and steal their browser or HTTP cookie. Once they steal the victim’s HTTP cookie and import it in their browser, the attackers can hijack the victim’s session.
Once the user session is hijacked the attackers can reset the victim’s password, allowing them to terminate the victim’s session and take control of the vulnerable WordPress blog or website. For more information on XSS read What is the Cross-site Scripting vulnerability?
Denial of Service
A Denial of Service, also known as DoS attack is a type of attack during which the attacker floods the target server or website with superflous requests in an attempt to overload it and making it unavailable, therefore legitimate requests cannot be fulfilled. A popular variant of this attack is also DDoS, a Distributed Denial of Service during which multiple hosts are used to attack the target instead of one.
An exploit is when the attacker takes advantage of a security vulnerability in order to cause unintended behaviour of the software. Therefore as an example, in case of WordPress, when an attacker takes advantage of an SQL Injection vulnerability to read or modify data in the WordPress database, such as changing the users’ passwords, the attacker is exploiting the SQL injection vulnerability.
A firewall is a type of software that is installed between two points, typically the internet and either a network service or a whole network, to protect it from attacks. A firewall is typically associated with protecting networks. In case of websites such as WordPress, a web application firewall is used. Refer to the web application firewall term for more details on WAFs.
Fuzzer / Fuzzing
fuzzing is a software testing technique used to discover coding errors and security loopholes in software, operating systems or networks by inputting massive amounts of random data, called fuzz, to the system in an attempt to make it crash.
A fuzzer is a software that can be programmed to send large number of requests. In terms of web application security, a fuzzer can be used to send large numbers of HTTP requests to a target website with the aim of identifying backup files etc. For example once configured it will start sending such requests to the target website;
Typically used for WordPress users. When a WordPress user is hijacked it means that the attacker was able to gain access (via guessing the password or stealing the HTTP cookie) and take over the session of a WordPress user, thus having full control of the user and can do anything that the user has permissions to do. In most cases the victim is not affected directly hence he or she won’t noticed that the account was hijacked.
An htaccess file (.htaccess) is an Apache web server directory level configuration file. htaccess files are used to override the general configuration of the web server for a specific directory. htaccess files are commonly used in WordPress for the permalinks configuration and also for several other security and non-security related tasks. Read the definitive guide to htaccess files in WordPress for more information on how you can use htaccess files to improve both the security and functionality of your WordPress blogs and websites.
Also known as HTTP cookie, internet cookie, web cookie, or browser cookie, the HTTP cookie is a small amount of data that is sent from the website to your web browser (such as Chrome, Firefox and Internet Explorer) when browsing a website. In WordPress, cookies are used to store user session related data, such as the state of the session (logged in or out) and also other personalized information. You can read and learn more about HTTP cookies on Wikipedia.
Malware is an umbrella term used in IT security to refer to all forms of malicious and intrusive software such as Trojans, viruses, backdoors, worms, adware etc. Hence “a malware infected WordPress website” means that the WordPress website in question has been hacked and was injected with some sort of malicious software. Typically a malicious website can be used to infect the computers of its visitors and users, allowing the spreading of the infection, hence why it is blocked by Google. You can learn more about Malware from this Wikipedia article and you can also read the article how to clean a malware infected WordPress website which allows you to get a better insight of what goes on in an infected website.
In IT security, permissions are the consent a user or group of users are given to perform a specific action. In WordPress and user roles, the word Capabilities is used instead of permissions, though they have the same meaning. For example a user with an Author role has the capabilities (or permissions) to create and publish own content. Read the article Use user roles to improve the security of your WordPress.
Permissions are also used in other areas related to WordPress and in IT in general. For example file and directory permissions are used in an operating system to specify what type of access users have on a particular file or directory on the web server or any other type of computer. For more information on file system permissions refer to this Wikipedia article.
In a phishing attack malicious hackers try to obtain the victim’s sensitive information (such as website credentials, online banking login details and credit card numbers) by masquerading a trusted entity such as a bank. A practical example of this is when an attacker sends a spam email that impersonates a bank to the victim with links to a website similar to that of the bank, asking for the login details. If the victim false for the phishing attack he will submit the login details which the attacker records and uses at a later stage.
Principle of Least Privilege
The principle of least privilege means the process of assigning the least possible privileges to a user or component to complete a particular task. For example if you have a number of guest authors who write and publish articles on your WordPress website, only assign them the Author role. If you assign their users with Editor or Administrator role, they would have more permissions than they need and as such can result in a security issue. You can read more about the different user roles and capabilities in All about WordPress user roles and capabilities.
In the WordPress world, privileges are mostly used in relation to the database where data such as posts and user information is stored. Privileges dictate the type of access a database server user has on the WordPress database. For example the user WordPress uses to connect to the database can have access to read and write data only, or can also have access to change the structure of the database, such as creating new tables. You can read more about database privileges in How to configure secure WordPress MySQL database privileges.
Privilege escalation is a type of vulnerability that when exploited the attacker manages to gain access to resources that are typically restricted to his user or role. For example if a WordPress user with Subscriber role manages to exploit a privilege escalation vulnerability in WordPress, he might be able to do tasks that are typically not possible when a user has a Subscriber role. In WordPress 4.2.3, the WordPress core development team addressed a privilege escalation vulnerability that when exploited allowed a user with Subscriber role to create and edit draft posts, pages and custom post types.
Proof of Concept
In computer security, a Proof of Concept (PoC) is the demonstration of the exploitation of a vulnerability and its impact. PoCs are typically created by security professionals and included in Security Advisories when they identify a zero-day vulnerability in either WordPress, a plugin or a theme. Proof of concepts are used to demonstrate where the security problem is and also highlight the impact such flaw can have.
A scam is a dishonest scheme or a fraud. Many think that in a scam people are asked to pay money and never get anything back in return, like the popular advance-fee scams from Nigeria. Though in some cases people pay and get something of much lower value in return, or pay someone portraying to be a professional but is not, as seen in this website SEO scam.
A document that is published to disclose all the technical details of a zero-day vulnerability. Typically an advisory is published straight after the software vendor releases a security update for the affected software and sometimes it can also include a Proof of Concept. Considering the details available in advisories, which would allow malicious hackers to easily learn about the vulnerability, ideally the advisory should be published at a later date, giving the users enough time to update their software. In fact many security professionals have been quite vocal about the subject of responsible disclosure of vulnerability details and how it can be improved.
Scan (Security Scan)
A security scan is the process of using automated tools to identify security flaws and possible exploitable vulnerabilities on a target. For example you can use the automated WordPress scanner WPScan to scan your WordPress to find security weaknesses on your WordPress. There are several different types of scanning technologies, and the most popular ones are black box and white box scanning. The difference between the two is the approach. In black box scanning the scanner is used to attack the target WordPress from the outside, while in white box scanning the scanner would have access to the code and the internal components of the target, such as a source code analyzer.
In WordPress, security hardening is the process of implementing security tweaks in order to make WordPress more secure. For example the processes of renaming the default WordPress admin user, implementing two-factor authentication and applying secure WordPress database privileges are just a few simple, yet effective WordPress hardening changes you can do to improve the security of your WordPress blogs and websites.
A malicious software scanning technique, typically used in anti virus and malware scanning software to identify infections. The way this detection works is it scans the code of the target site for signatures of known malware and infections. Since it uses signatures the engine cannot find malware that it does not know about, therefore is not the most reliable type of malware detection and is very high maintenance.
Spam (Email Spam)
A spam email is an unsolicited email message which is typically commercial in nature and contains disguised links that try to lure the victim into a phishing attack or into paying for something. Some of them also can redirect you to infected websites or contain malicious attachments that when opened can install a trojan and other type of malicious software.
Source Code Audit
A source code audit is the process of analyzing the source code of a particular software or web application with the intent of finding functionality bugs, vulnerabilities and other mistakes in the code. A source code audit can be done manually by an experienced developer and can also be done automatically with a source code analyzer. For more information on code audits refer to the Code Audit article on Wikipedia.
This type of vulnerability allows the attacker to inject malicious SQL statements through the vulnerable website. It is typically used to attack database driven web applications such as WordPress to gain unauthorized access to the database and its data.
To exploit an SQL Injection vulnerability the attacker injects malicious SQL statements for the database server to execute through an input field on the website. Such input fields could be the username or password input fields (such as those in the in WordPress login page), all the comments related input fields, search boxes etc. A web application such as WordPress, a WordPress plugin or a theme could be vulnerable to SQL Injection if there is no proper sanitization of the user input.
By exploiting an SQL Injection vulnerability, the attacker can read and possibly write data to the database. Therefore in case of WordPress, by exploiting an SQL Injection the attacker can retrieve the list of WordPress usernames and change their passwords. For a more detailed explanation of the SQL Injection vulnerability read 14 Years of SQL Injection and still the most dangerous vulnerability.
A Trojan is a type of malware that is disguised as legitimate software, and when installed it acts maliciously. For example Trojans are typically used to open a backdoor on the infected computer or server, which allows the attacker to gain unauthorized access to it. Trojans can be distributed from malware infected websites. A common trick that is used to trick victims into installing a Trojan is an antivirus alert when browsing a website, such as the one in the below screenshot.
In both computing and WordPress, a vulnerability is a bug in the system’s security that when exploited allows the attackers to either gain unauthorized access to a system and its data, or hijack a user session. There are two types of vulnerabilities; technical and logical ones. Typically, technical vulnerabilities can be found automatically and are easy to exploit while logical vulnerabilities are difficult to find and exploit. It is important to note that a vulnerability in a WordPress plugin or theme can lead to a full compromise of WordPress or the web server itself, hence why it is important to keep all the components that make up your web server up to date.
Every user on your WordPress website or blog has a role. WordPress has the following built-in roles: Super Admin (used only in a multisite installation), Administrator, Editor, Author, Contributor and Subscriber. A WordPress user with an administrator role can do anything possible on WordPress, such as creating new articles or pages, installing and configuring plugins to add new functionality to the WordPress website, installing or changing a WordPress theme etc. A user with subscriber role can only manage his or her profile.
Some plugins and themes create additional custom WordPress user roles that are used to give permissions to users to complete specific tasks related to the plugin itself. For example if you install a shopping cart plugin, new roles such as Shop Keeper and Data Entry are typically created. Read the article Use WordPress User Roles for Improved Security for more detailed information on the security best practises of using WordPress users roles.
A virus is a type of malware software that is able to replicate itself when executed to infect other hosts. Typically viruses are used to distribute and install Trojans and backdoors which later are used by the attackers to gain access to the infected computer or server.
VPN stands for Virtual Private Network. It uses tunneling protocols and encryption to extend a private network across a public network, typically the internet. When computers are connected via VPN they are virtually directly connected to the private network. Read VPN – A WordPress Digital Nomad’s Must Have for more detailed information on VPN and why it should be used.
In WordPress and IT security, a whitelist is a list of trusted objects or sources. Therefore if you want to allow only fours IP addresses to access your WordPress dashboard you should use the Whitelist Approach; block everyone and only allow in the four IP addresses that you trust. Whitelisting is also used when configuring for example a server or a software. For example when configuring a web server ideally you should disable all the modules and only enable those that you need. The opposite of a whitelist is a blacklist. Whitelisting is typically preferred in the security field because it is easier to manage and presents less risks.
WordPress Firewall / Web Application Firewall (WAF)
Also known as a web application firewall, a WordPress firewall is a software that analyses all your WordPress incoming traffic. Its role is to identify malicious requests being sent to your WordPress and block them. A WordPress firewall can either be a plugin or an online service. For more details on WordPress and web application firewalls read All you need to know about WordPress firewalls and web application firewalls.
Zero-Day Vulnerability (0-day)
A zero-day vulnerability is a previously undisclosed vulnerability, of which details are not known by the public. It is called 0-day because once someone knows about the security flaw, the software vendor has zero days available to advise countermeasure procedures, including releasing a security patch. When the details of a zero-day vulnerability are published before the vendor is advised about the security issue, the chances of malicious hackers mass exploiting such vulnerability are very high because owners of the vulnerable software have no way to protect their setup from such attacks.