The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
The OWASP Top 10 Web Application Security Risks
An Injection flaw could allow an attacker to inject malicious code into your WordPress database. The attacker’s code can trick WordPress or your server into running commands without proper authorization. The malicious code could do anything from exporting a list of the website’s users to deleting tables in your database.
Keeping data separate from commands and queries can help to prevent injection vulnerabilities.
2. Broken Authentication
A Broken Authentication vulnerability can allow an attacker to compromise a user or user’s passwords, keys, or session tokens to take over the user’s accounts.
You can help protect your website from Broken Authentication vulnerabilities by using two-factor authentication.
3. Sensitive Data Exposure
Applications and APIs that don’t correctly protect against Sensitive Data Exposure could allow an attacker to gain access to credit card numbers, health records, or other private personal information.
Data can be exposed either when it is in transit or when it is at rest.
- An example of data in transit is when a credit card number gets sent from your customer’s browser to your website’s payment gateway.
- Data that is at rest means it stored and is not being used. An example of data at rest is your BackupBuddy backup stored in an offsite location. The backup will remain at rest until it is needed.
You can install an SSL certificate to help secure and encrypt data that is in transit and add encryption to data at rest to help prevent exposure.
4. XML External Entities (XXE)
Many older or poorly configured XML processors evaluate external entity–like a hard drive–references within XML documents. An attacker can trick an XML parser into passing off sensitive information to an external entity under their control
The best way to prevent XXE is to use less complex data formats such as JSON and avoiding serialization of sensitive data.
5. Broken Access Control
A Broken Access Control vulnerability would allow an attacker to bypass authorization and perform tasks that would typically be restricted to users with higher privileges such as an administrator.
In the context of WordPress, a Broken
This article was written by Michael Moore and originally published on WordPress News and Updates from iThemes – iThemes.