Wordpress sites getting hacked - Not that this is news...



  • Excerpt:

    An unexpectedly large number of WordPress websites have been mysteriously compromised and are delivering the TeslaCrypt ransomware to unwitting end-users. Antivirus is not catching this yet.

    In the last few days, malware researchers from Malwarebytes and other security firms have reported that a massive number of legit WordPress sites somehow have been compromised and are silently redirecting visitors to sites with the Nuclear Exploit Kit. It's not yet clear how the WordPress sites are getting infected, but it is highly likely that there is a new vulnerability that is being exploited in either WP or a very popular WP plugin.

    Yes it's from a blog that sells security services, but the news itself was worth forwarding. Be careful out there.


  • sockdevs

    Wordpress sites getting hacked

    In other equally shocking news, water is found to be wet, and fire is found to be hot



  • I'm confused.

    "An unexpectedly large number of WordPress sites have been compromised"

    I take that to mean "none of them", because that's the only way that I can understand the use of the word "unexpected" in this context.

    Or is it unexpected that they would be "mysteriously" compromised instead of being compromised for obvious reasons like the "because it's WordPress" vulnerability?



  • @DCRoss said:

    I take that to mean "none of them", because that's the only way that I can understand the use of the word "unexpected" in this context.

    It says "unexpectedly large" though, which implies "larger than you'd expect". Which is still puzzling because few people would be surprised if all wordpress sites were infected.


  • sockdevs

    @PleegWat said:

    Which is still puzzling because few people would be surprised if all wordpress sites were infected.

    wordpress sites are, by definition, infected with malware.

    it's called wordpress



  • LOLOLLZLZ let's all make fun of wordpress for being insecure lOLOSLOSLLSOL this is a highly origiinal joke nobody's ever heard before LOLOSLOLLZZ



  • Is there some expectation for WordPress, or is it one of those, "It's not my technology" things?


  • sockdevs

    @blakeyrat said:

    this is a highly origiinal joke nobody's ever heard before

    i'm glad you agree!

    on the strength of your opinion i'm entering the joke into the "Best Jokes of 2017" competition. With your infalible backing it's sure to will the grand prize!



  • Ok, so it looks like it's insecure because it's popularized and doesn't have a formal environment for verifying code.


  • Winner of the 2016 Presidential Election

    @redwizard said:

    An unexpectedly large number of WordPress websites have been mysteriously compromised

    E_SARCASM_BUFFER_OVERFLOW
    FLUSHING CACHE
    CONTINUING READ
    

    @redwizard said:

    a massive number of legit WordPress sites somehow

    E_SARCASM_BUFFER_OVERFLOW
    FLUSHING CACHE
    CONTINUING READ
    

    @redwizard said:

    It's not yet clear how the WordPress sites are getting infected

    E_SARCASM_BUFFER_OVERFLOW
    FLUSHING CACHE
    CONTINUING READ
    

    @redwizard said:

    it is highly likely that there is a new vulnerability that is being exploited in either WP or a very popular WP plugin.

    E_SARCASM_BUFFER_OVERFLOW
    FLUSHING CACHE
    CONTINUING READ
    READ COMPLETE
    COMMENCING COMMENTARY
    

    @xaade, WordPress has become famous for being extremely insecure. I know of at least two people who basically spend every work day finding a new zero-day vulnerability in WordPress and reporting it to be fixed.



  • @Fox said:

    WordPress has become famous for being extremely insecure

    PHP and javascript.....

    SURPRISE!!!!


  • Winner of the 2016 Presidential Election

    That, too. But its insecurities build upon the insecurities of its components, even. It's vulnerabilities all the way down.



  • @Fox said:

    @xaade, WordPress has become famous for being extremely insecure.

    To the point where hearing jokes about it is no longer fucking funny, so stop making them.


  • sockdevs

    @blakeyrat said:

    To the point where hearing jokes about it is no longer fucking funny

    "One man's shit is another mans gold" - Harry King, Rising Steam


  • Winner of the 2016 Presidential Election

    @blakeyrat said:

    To the point where hearing jokes about it is no longer fucking funny, so stop making them.

    Like puns, jokes about how insecure WordPress is will always be funny.



  • @RaceProUK said:

    In other equally shocking news, water is found to be wet, and fire is found to be hot

    For the record, I don't use WordPress. Shows you how little I know about it. :frowning:



  • @accalia said:

    i'm entering the joke into the "Best Jokes of 2017" competition

    snnnooooarrrr snnnnooooooarrr wait! what! phrwfmk.. snot snarfle.

    Shit - I overslept! It can't be 2017 already?! Fuck - what did I miss?


  • mod

    @skotl said:

    Shit - I overslept! It can't be 2017 already?!

    Told you to go easy on those cat naps.


  • mod

    It won't be 20:17 here for another 5 hours or so :)


  • Winner of the 2016 Presidential Election

    @redwizard said:

    For the record, I don't use WordPress.

    Count yourself blessed. I've had several friends whom I am fairly certain went temporarily insane at some point while trying to use WP.



  • PHP and Javascript make the vast majority of the web...




  • I don't know whether it's related, or just some other misconfiguration on the MSDN blogs site. I have been greeted by the following a few times this morning.

    Btw, seems when uploading image through web, the img tag got inserted in the beginning instead of append to the end of the post here. Since it's not easy to move the already typed content up with phone, I'll leave it as is.



  • Uh, you mean the Reading View that you have enabled?



  • Wordpress alone isn't the problem - plugins are part of the problem too. Mostly those things are cobbled together by someone who wants to 'get the job done', then dumps his turd on GitHub stating that it is the best thing since sliced bread, only to immediately abandon it and never update it again.

    Then some underpaid douchebag web developer drag-and-drop hero from some shithole takes this plugin, integrates it with the next thirteen-in-a-dozen eCommerce website he's making for some local shoe shop that wants to 'grow its web presence' and presto... you have yourself a ticking timebomb.



  • Yup, I used to be able to load the pages in that mode, but need to load 3-4 times to load it correctly this morning.

    Of course it could also be because I'm visiting there in China... :O



  • This explore has been known since September, and even then only affected out of date versions of the software.

    In other news, OpenSSL has a flaw that can expose user credentials...



  • @xaade said:

    Ok, so it looks like it's insecure because it's popularized and doesn't have a formal environment for verifying code.

    Heh, verifying code. It would be a good start if it didn't insist on keeping application code in the same tree as user uploads and client assets — you can change upload directory... but it's relative to wp-content which also contains themes and plugins... which contain both server and client code so they can't be moved away.

    And getting PHP to only execute some of this and never touch anything else is a pain in the ass, because PHP is also developed by idiots. So if you're not careful it takes very little for RCE.



  • @RaceProUK said:

    In other equally shocking news, water is found to be wet, and fire is found to be hot

    Looked at this and thought: "hmm...Guess I shouldn't play with matches...er, WordPress?"


  • sockdevs

    Because Apache doesn't have a directive that allows for forcibly disabling any requests to a certain folder from being run as PHP, which would solve this. OH WAIT--

    And before anyone utters the words "nginx" or "IIS" WP already needs special love to work correctly on those and anyone doing that probably is prepared for diving into a circle of hell anyway.



  • I ran WordPress on IIS a few years. It worked ok; it was MySQL I had more problems with. (Apparently the default collation was different on the Windows install than the Linux install I exported from, and neither MySQL nor WordPress actually checks the collation is correct before inserting new data. So I ended up with gibberish characters replacing my smart quotes.)

    The real problem with WordPress on IIS is that a lot of plug-ins wouldn't work. Frankly that's more a blessing than a curse.



  • @Arantor said:

    Because Apache doesn't have a directive that allows for forcibly disabling any requests to a certain folder from being run as PHP, which would solve this. OH WAIT--

    Not the point. Application code simply doesn't belong in a public webroot, ever. Choice of httpd is not very important here, the steps to not fucking up the configuration are more or less the same on every one.


  • sockdevs

    You know there are reasons why WP does it, right? I hate to defend WP here but there are reasons that make some sense.

    1. It means the actual users - the non technical people - are less likely to fuck up backups.
    2. It means the actual users likely will have a "just works" experience on an average shared host. And before anyone suggests "Fantastico" or "Scriptaculous" these have a nasty habit of installing things incorrectly ranging from incomplete databases, to misconfigured databases to directory permissions. For a friendly, easy to use setup, this is really important.

    There's more but typing on mobile is effort.

    These might seem trite and stupid reasons to you but competent people like you and me (well, me for sure, can only assume so for you) are not WP's typical user base and our expertise and prejudices should be ignored when trying to understand why things are so. I'm not suggesting the above is unfixable, but it might as well be in many ways.

    Remember: PHP grew to its present dominance because it was easier to setup than Perl, not because it was good. WP has a similar deal, it isn't Drupal, Joomla etc.



  • @Arantor said:

    I hate to defend WP here but there are reasons that make some sense.

    Sure, I can accept the defaults tailored to shitty shared hosts. But it's not impossible to have that and also to support more secure setup. One simple thing to vastly improve this would be to allow UPLOADS_DIR to be an absolute path because holy shit, there is no reason to make it relative-only. Make /wp-admin/ be a single entry point and keep all the included code in a single tree that is include_dirs friendly. Make a single user entry point too, really. Instead of single wp-content hierarchy have two for static assets and code: users install through admin panel so they don't care anyway.

    No, WP developers are just not good. It's not about users.


  • sockdevs

    See there's one other problem WP has, which is inertia.

    The earliest versions of WP were shitty, sure. But where it grew in certain directions, it now can't change that without breaking plugins on a major scale, and a large part of its ecosystem is the diversity of plugins.

    Same reason they can't break having the_loop() because it would break many things.

    Trouble is, they're fucking stuck with this shit and can't exactly fix it even if they wanted to, which I suspect they do. But consider if they burned it to the ground in WP5, they'd have a nice core and no ecosystem around it, so adoption/migration would be painful, just like it was for Python 2 -> 3.



  • Eh, many of those things should be doable without breaking compatibility, and not like they have an amazing guarantee for plugins working in even new minor releases anyway.

    Leave deprecated shims in place for few release cycles, warn everyone about possibly breaking changes, and actually improve what's seen as a security joke? But then again there's wordpress.com so I wouldn't be surprised if they just simply didn't care ("You have security problems? Well you should just buy hosting here and let us worry about it").

    Guess WP sites getting compromised will remain not news.

    (But really this is all just because I've been setting it up recently. :crying_cat_face:)



  • If a Wordpress site is set to auto-update the core and plugins, you'll mitigate attacks but probably break some plugins.

    Some of the breaking changes are due to plugin makers doing things in a hacky way, or not fully understanding the hooks they're using. For example, hooking into "init" used to allow you register a widget on the sidebar. Now you have to use "widget_init". Why? Fucked if I know, but it's the raisin one of my sidebar widgets vanished.

    Also, subscribing to a good Wordpress security blog / mailing list is recommended:

    If Wordpress was to do any major overhaul, I'd want it to be focusing on securing the admin side of plugins. A lot of vulnerabilities come in two flavors:

    • Plugin does something dumbshit stupid, like executing arbitrary code, not checking authentication, allowing for filesystem access, the usual-- basic bad programming
    • But then there's others that will respond to requests to their /admin portions. Sometimes the request is just never checked for authorization. Other times it allows for CSRF by not having some sort of nonce. It'd be nice to create a better API for administering plugins, so they don't have to have that raw access. If you want an admin plugin, you have to write all the UI and CRUD yourself. This leads to plugin authors taking the shortest route their knowledge allows, and leaving gaping holes. Some sort of "CreateAdminForm(dictionary of UI widgets and values)" and "GatherAdminFormInput()" type APIs would be good.

  • sockdevs

    Until the shims do something that breaks a plugin in a weird way, which it will, and then it will be WP's fault not the plugin's for being retarded, and people will stop updating. Been there, seen it, got the t-shirt and scars from trying to prevent the retardary.



  • @Lorne_Kates said:

    It'd be nice to create a better API for administering plugins, so they don't have to have that raw access. If you want an admin plugin, you have to write all the UI and CRUD yourself. This leads to plugin authors taking the shortest route their knowledge allows, and leaving gaping holes. Some sort of "CreateAdminForm(dictionary of UI widgets and values)" and "GatherAdminFormInput()" type APIs would be good.

    This. A thousand times this.




Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.