Survey Finds Most WordPress Blogs Vulnerable 82
BlogSecurity writes "Security analyst David Kierznowski shocked bloggers yesterday with a survey showing that 49 out of the 50 WordPress blogs he checked seem to be running exploitable versions of the widely used software. He said, 'The main concern here is the lack of security awareness amongst bloggers with a non-technical background, and even those with a technical background.' Mr Kierznowski also uncovered recent vulnerabilities in WordPress plugins that ship by default with the software, adding: 'WordPress users developing plugins must be aware of the security functions that WordPress supports, and ensure that these functions are used in their code.'"
self-updating (Score:3, Insightful)
Time for web applications to grow up (Score:5, Insightful)
I think it's about time web applications like WordPress included an update service. Put update notifications into an Atom feed pointing to tarballs incorporating an update script, patches, etc, and label them as security/minor/major. Have the system periodically retrieve them, automatically apply the security updates, and prompt the admin next time he logs in to apply the others.
The only difficulty is that the developers need to have proper release management. No more bundling security fixes into whatever the latest development version is. No more releasing updates that fiddle with styles at the same time as fixing serious bugs. I don't think that's feasible for many web applications, but it's certainly achievable for bigger projects like Wordpress.
I can't think of any web application that does this already off the top of my head. Does anybody know of any projects doing this?
Re:irony? (Score:2, Insightful)
People run old software? Really? (Score:3, Insightful)
So if it's news to you that people run old and/or vulnerable software, then this might be something new. Otherwise it's just what I would expect.
Re:Wordpress - a correction (Score:3, Insightful)
2.2 fixes bugs I never noticed and new features I didn't immediately need, so I can see why even good blog administrators might have waited to upgrade this one. I'm not sure BlogSecurity is correct to say 2.2 is the only secure version.
For people using Web hosts with control panels and doing installs and upgrades through a control panel like "Fantastico," the latest version they're offering is 2.1.3.
I agree that Wordpress is a bit of a pain to upgrade if you've done customization. I also like to manually back up my databases before I install a new version. The whole process takes about half an hour if I include the downloading, untarring, killing off files manually, and so forth.
Re:Time for web applications to grow up (Score:4, Insightful)
Re:self-updating (Score:3, Insightful)
Re:Time for web applications to grow up (Score:3, Insightful)
It depends on what you mean. Wordpress already tells you when a new version is available. What it doesn't do is automatically install it for you. In the case of PHP apps, this is a good thing. (At least, as far as running a PHP app in the first place can be considered a "good thing".)
Wordpress installations rarely run the vanilla software. Usually the look has been customized by modifying templates and/or plugins have been added to provide new functionality. In order to do either of these tasks, you have to modify the PHP code. Wordpress provides an easy-to-use interface to do this, but it doesn't help anything if you upgrade your system. Your look and customizations will go "poof!" the moment you untar that new version. Thus upgrading is a rather painful process that requires that users backup and reapply all their modifications. That's why no one ever upgrades PHP apps if they can help it.
Re:Thanks OSS! (Score:2, Insightful)
I was hacked... (Score:2, Insightful)
As someone who has just recently been hacked (Druapal 5.1, not WordPress, but I almost went that direction) I can say that I've recently seen my fair share of hacked Wordpress sites (via links to/from referrers) that have been listed as 'defaced' with, "Attack Technics : FTP Protokol" listed on the bragging-rights page. In my particular case it was because my hosting service allows anonymous FTP uploads(?!) with no 'correct' way to disable it (???!!!) -- my solution was to allow 0KB of FTP transfer for anonymous users.
For those whishing to see for themselves and laugh/shutter/worry, etc they can do so by clicking here AT THEIR OWN RISK [turk-h.org].
Re:Time for web applications to grow up (Score:3, Insightful)
Actually, this isn't true -- provided you use some common sense about how you customize your Wordpress blog. It doesn't make a lot of sense to go ahead and apply all your customizations to a theme called "default," for example (though I'm sure that lots of people do this). When you go and untar the new version, the "default" theme will be overwritten, as you point out. But if you had taken the time to make a copy of the default theme before you started mucking with it -- into a directory called, I dunno, "mytheme," perhaps -- your theme wouldn't get overwritten by anything in the tarball and your look and customizations would still be there as soon as you upgraded your database.
More of a hassle, I suspect, is that a lot of people run Wordpress on CPanel hosts -- CPanel is a popular server management platform that lets shared hosting customers control their sites without shell access -- and CPanel does not make it particularly easy to upgrade Wordpress. On a lot of hosts I've seen, for example, the function to extract a tarball is configured to never overwrite any files. So far as I can see, the only way to upgrade Wordpress is to rename your current install to a directory called "wordpress-old" or something, then extract the tarball, then copy over all of your modifications by hand using a Web-based file manager. I imagine this is pretty much beyond the capabilities of many Wordpress users. (But then, nobody is forced to maintain their own blog software. I suspect many do it out of a misguided sense of "leet"-ness.)
Re:Time for web applications to grow up (Score:3, Insightful)
So I read this as... (Score:3, Insightful)
Good riddance if that is the case. If they cannot adapt to the needs of its users, they deserve what will come to them, though their users do not
Re:what about Blogger? (Score:2, Insightful)
This doesn't have anything to do with the WordPress crew sucking at security, just their users.
Re:How do you fix it? (Score:3, Insightful)
NeoThermic