Wordpress sites getting hacked - Not that this is news...
-
Ransomware Criminals Infect Thousands With Weird WordPress Hack
Ransomware criminals infect thousands of end-users with weird WordPress hack and how security awareness training can help.
Excerpt:
An unexpectedly large number of WordPress websites have been mysteriously compromised and are delivering the TeslaCrypt ransomware to unwitting end-users. Antivirus is not catching this yet.
In the last few days, malware researchers from Malwarebytes and other security firms have reported that a massive number of legit WordPress sites somehow have been compromised and are silently redirecting visitors to sites with the Nuclear Exploit Kit. It's not yet clear how the WordPress sites are getting infected, but it is highly likely that there is a new vulnerability that is being exploited in either WP or a very popular WP plugin.
Yes it's from a blog that sells security services, but the news itself was worth forwarding. Be careful out there.
-
Wordpress sites getting hacked
In other equally shocking news, water is found to be wet, and fire is found to be hot
-
I'm confused.
"An unexpectedly large number of WordPress sites have been compromised"
I take that to mean "none of them", because that's the only way that I can understand the use of the word "unexpected" in this context.
Or is it unexpected that they would be "mysteriously" compromised instead of being compromised for obvious reasons like the "because it's WordPress" vulnerability?
-
I take that to mean "none of them", because that's the only way that I can understand the use of the word "unexpected" in this context.
It says "unexpectedly large" though, which implies "larger than you'd expect". Which is still puzzling because few people would be surprised if all wordpress sites were infected.
-
Which is still puzzling because few people would be surprised if all wordpress sites were infected.
wordpress sites are, by definition, infected with malware.
it's called wordpress
-
LOLOLLZLZ let's all make fun of wordpress for being insecure lOLOSLOSLLSOL this is a highly origiinal joke nobody's ever heard before LOLOSLOLLZZ
-
Is there some expectation for WordPress, or is it one of those, "It's not my technology" things?
-
this is a highly origiinal joke nobody's ever heard before
i'm glad you agree!
on the strength of your opinion i'm entering the joke into the "Best Jokes of 2017" competition. With your infalible backing it's sure to will the grand prize!
-
Ok, so it looks like it's insecure because it's popularized and doesn't have a formal environment for verifying code.
-
An unexpectedly large number of WordPress websites have been mysteriously compromised
E_SARCASM_BUFFER_OVERFLOW FLUSHING CACHE CONTINUING READa massive number of legit WordPress sites somehow
E_SARCASM_BUFFER_OVERFLOW FLUSHING CACHE CONTINUING READIt's not yet clear how the WordPress sites are getting infected
E_SARCASM_BUFFER_OVERFLOW FLUSHING CACHE CONTINUING READit is highly likely that there is a new vulnerability that is being exploited in either WP or a very popular WP plugin.
E_SARCASM_BUFFER_OVERFLOW FLUSHING CACHE CONTINUING READ READ COMPLETE COMMENCING COMMENTARY@xaade, WordPress has become famous for being extremely insecure. I know of at least two people who basically spend every work day finding a new zero-day vulnerability in WordPress and reporting it to be fixed.
-
WordPress has become famous for being extremely insecure
PHP and javascript.....
SURPRISE!!!!
-
That, too. But its insecurities build upon the insecurities of its components, even. It's vulnerabilities all the way down.
-
@xaade, WordPress has become famous for being extremely insecure.
To the point where hearing jokes about it is no longer fucking funny, so stop making them.
-
To the point where hearing jokes about it is no longer fucking funny
"One man's shit is another mans gold" - Harry King, Rising Steam
-
To the point where hearing jokes about it is no longer fucking funny, so stop making them.
Like puns, jokes about how insecure WordPress is will always be funny.
-
In other equally shocking news, water is found to be wet, and fire is found to be hot
For the record, I don't use WordPress. Shows you how little I know about it.
-
i'm entering the joke into the "Best Jokes of 2017" competition
snnnooooarrrr snnnnooooooarrr wait! what! phrwfmk.. snot snarfle.
Shit - I overslept! It can't be 2017 already?! Fuck - what did I miss?
-
-
It won't be 20:17 here for another 5 hours or so :)
-
For the record, I don't use WordPress.
Count yourself blessed. I've had several friends whom I am fairly certain went temporarily insane at some point while trying to use WP.
-
PHP and Javascript make the vast majority of the web...
-
I don't know whether it's related, or just some other misconfiguration on the MSDN blogs site. I have been greeted by the following a few times this morning.
Btw, seems when uploading image through web, the img tag got inserted in the beginning instead of append to the end of the post here. Since it's not easy to move the already typed content up with phone, I'll leave it as is.
-
Uh, you mean the Reading View that you have enabled?
-
Wordpress alone isn't the problem - plugins are part of the problem too. Mostly those things are cobbled together by someone who wants to 'get the job done', then dumps his turd on GitHub stating that it is the best thing since sliced bread, only to immediately abandon it and never update it again.
Then some underpaid douchebag
web developerdrag-and-drop hero from some shithole takes this plugin, integrates it with the next thirteen-in-a-dozen eCommerce website he's making for some local shoe shop that wants to 'grow its web presence' and presto... you have yourself a ticking timebomb.
-
Yup, I used to be able to load the pages in that mode, but need to load 3-4 times to load it correctly this morning.
Of course it could also be because I'm visiting there in China... :O
-
This explore has been known since September, and even then only affected out of date versions of the software.
In other news, OpenSSL has a flaw that can expose user credentials...
-
Ok, so it looks like it's insecure because it's popularized and doesn't have a formal environment for verifying code.
Heh, verifying code. It would be a good start if it didn't insist on keeping application code in the same tree as user uploads and client assets — you can change upload directory... but it's relative to wp-content which also contains themes and plugins... which contain both server and client code so they can't be moved away.
And getting PHP to only execute some of this and never touch anything else is a pain in the ass, because PHP is also developed by idiots. So if you're not careful it takes very little for RCE.
-
In other equally shocking news, water is found to be wet, and fire is found to be hot
Looked at this and thought: "hmm...Guess I shouldn't play with matches...er, WordPress?"
-
Because Apache doesn't have a directive that allows for forcibly disabling any requests to a certain folder from being run as PHP, which would solve this. OH WAIT--
And before anyone utters the words "nginx" or "IIS" WP already needs special love to work correctly on those and anyone doing that probably is prepared for diving into a circle of hell anyway.
-
I ran WordPress on IIS a few years. It worked ok; it was MySQL I had more problems with. (Apparently the default collation was different on the Windows install than the Linux install I exported from, and neither MySQL nor WordPress actually checks the collation is correct before inserting new data. So I ended up with gibberish characters replacing my smart quotes.)
The real problem with WordPress on IIS is that a lot of plug-ins wouldn't work. Frankly that's more a blessing than a curse.
-
Because Apache doesn't have a directive that allows for forcibly disabling any requests to a certain folder from being run as PHP, which would solve this. OH WAIT--
Not the point. Application code simply doesn't belong in a public webroot, ever. Choice of httpd is not very important here, the steps to not fucking up the configuration are more or less the same on every one.
-
You know there are reasons why WP does it, right? I hate to defend WP here but there are reasons that make some sense.
- It means the actual users - the non technical people - are less likely to fuck up backups.
- It means the actual users likely will have a "just works" experience on an average shared host. And before anyone suggests "Fantastico" or "Scriptaculous" these have a nasty habit of installing things incorrectly ranging from incomplete databases, to misconfigured databases to directory permissions. For a friendly, easy to use setup, this is really important.
There's more but typing on mobile is effort.
These might seem trite and stupid reasons to you but competent people like you and me (well, me for sure, can only assume so for you) are not WP's typical user base and our expertise and prejudices should be ignored when trying to understand why things are so. I'm not suggesting the above is unfixable, but it might as well be in many ways.
Remember: PHP grew to its present dominance because it was easier to setup than Perl, not because it was good. WP has a similar deal, it isn't Drupal, Joomla etc.
-
I hate to defend WP here but there are reasons that make some sense.
Sure, I can accept the defaults tailored to shitty shared hosts. But it's not impossible to have that and also to support more secure setup. One simple thing to vastly improve this would be to allow UPLOADS_DIR to be an absolute path because holy shit, there is no reason to make it relative-only. Make
/wp-admin/be a single entry point and keep all the included code in a single tree that is include_dirs friendly. Make a single user entry point too, really. Instead of singlewp-contenthierarchy have two for static assets and code: users install through admin panel so they don't care anyway.No, WP developers are just not good. It's not about users.
-
See there's one other problem WP has, which is inertia.
The earliest versions of WP were shitty, sure. But where it grew in certain directions, it now can't change that without breaking plugins on a major scale, and a large part of its ecosystem is the diversity of plugins.
Same reason they can't break having
the_loop()because it would break many things.Trouble is, they're fucking stuck with this shit and can't exactly fix it even if they wanted to, which I suspect they do. But consider if they burned it to the ground in WP5, they'd have a nice core and no ecosystem around it, so adoption/migration would be painful, just like it was for Python 2 -> 3.
-
Eh, many of those things should be doable without breaking compatibility, and not like they have an amazing guarantee for plugins working in even new minor releases anyway.
Leave deprecated shims in place for few release cycles, warn everyone about possibly breaking changes, and actually improve what's seen as a security joke? But then again there's wordpress.com so I wouldn't be surprised if they just simply didn't care ("You have security problems? Well you should just buy hosting here and let us worry about it").
Guess WP sites getting compromised will remain not news.
(But really this is all just because I've been setting it up recently.
)
-
If a Wordpress site is set to auto-update the core and plugins, you'll mitigate attacks but probably break some plugins.
Some of the breaking changes are due to plugin makers doing things in a hacky way, or not fully understanding the hooks they're using. For example, hooking into "init" used to allow you register a widget on the sidebar. Now you have to use "widget_init". Why? Fucked if I know, but it's the raisin one of my sidebar widgets vanished.
Also, subscribing to a good Wordpress security blog / mailing list is recommended:
If Wordpress was to do any major overhaul, I'd want it to be focusing on securing the admin side of plugins. A lot of vulnerabilities come in two flavors:
- Plugin does something dumbshit stupid, like executing arbitrary code, not checking authentication, allowing for filesystem access, the usual-- basic bad programming
- But then there's others that will respond to requests to their /admin portions. Sometimes the request is just never checked for authorization. Other times it allows for CSRF by not having some sort of nonce. It'd be nice to create a better API for administering plugins, so they don't have to have that raw access. If you want an admin plugin, you have to write all the UI and CRUD yourself. This leads to plugin authors taking the shortest route their knowledge allows, and leaving gaping holes. Some sort of "CreateAdminForm(dictionary of UI widgets and values)" and "GatherAdminFormInput()" type APIs would be good.
-
Until the shims do something that breaks a plugin in a weird way, which it will, and then it will be WP's fault not the plugin's for being retarded, and people will stop updating. Been there, seen it, got the t-shirt and scars from trying to prevent the retardary.
-
@Lorne_Kates said:
It'd be nice to create a better API for administering plugins, so they don't have to have that raw access. If you want an admin plugin, you have to write all the UI and CRUD yourself. This leads to plugin authors taking the shortest route their knowledge allows, and leaving gaping holes. Some sort of "CreateAdminForm(dictionary of UI widgets and values)" and "GatherAdminFormInput()" type APIs would be good.
This. A thousand times this.
-
Panama Papers hack: Unpatched WordPress, Drupal bugs to blame?