“Et tu Wordpress!” – paraphrased from Julius Caesar Act III, Scene I
If Shakespeare blogged, I wonder if he would have used Wordpress? I don't have anything against Wordpress; I've deployed it several times. It suffers from a common issue that most applications do, security is either poorly implemented or not implemented at all. Application developers will either skip security all together, or have their own ideas about how things should be secured. This, when combined with the fact that the platforms they run on are as poorly locked down as the application, often leads to scenarios where your favorite application platform can make you feel like there's a knife coming out of your back and wondering how your greatest friend could have put it there. It’s not intentional, it’s just inevitable.
Take Wordpress - an immensely popular platform for blogging but also for web site and application development. Last week it was discovered that someone is doing a massively distributed brute force attack in an attempt to crack common “admin” passwords (http://blog.cloudflare.com/patching-the-internet-fixing-the-wordpress-br). This attack has been successful because Wordpress developers have focused on functionality, not security.
So, how does one protect themselves? A system like Oracle Access Manager will go a LONG way:
This has a benefit other than security - it also provides your developers with a break. By externalizing security, it allows your developers to focus on the business issue being solved rather then re-inventing the wheel, which leads to lower costs, fewer breaches and CIOs in the Wall Street Journal talking about success instead of apologizing for breaches!