Security in the Core CMS
In addition to third party plugins and modules, another entry point for hackers is the core CMS itself. Security vulnerabilities have been discovered in the core platforms for both DNN and WordPress.
David Poindexter is CEO of nvisionative. David and team build sites primarily on DNN, but have executed many client projects using WordPress as well. Recently, David wrote about a security issue in the WordPress core.
David notes that via the REST API, “an out-of-box implementation of WordPress 4.7 will expose a list of all USERS via anonymous access, including each user’s name, username, Gravatar link and other associated metadata.”
David continues, “This information can be exposed to and enumerated by both humans and BOTs to harvest sensitive information. With this information in hand, brute-force attacks can be made against the website to gain unauthorized access.”
While some may call this issue a security vulnerability, the official response from the WordPress team is that it’s the expected behavior. In a thread on the WP-API GitHub page, a member of the WordPress API team writes:
"Usernames are already exposed through themes, RSS feeds, etc, and we do not consider them a security issue. You can install a third-party plugin if you would like to limit access to this data."
We don’t agree with this approach to web security; while we wouldn’t block a client’s choice to use WordPress on the basis of this API “opening,” we would advise clients to use whatever means necessary to limit access to their sites’ user data.