Survey Finds Most WordPress Blogs Vulnerable

BlogSecurity writes "Security analyst David Kierznowski shocked bloggers yesterday with a survey showing that 49 out of the 50 WordPress blogs he checked seem to be running exploitable versions of the widely used software. He said, 'The main concern here is the lack of security awareness amongst bloggers with a non-technical background, and even those with a technical background.' Mr Kierznowski also uncovered recent vulnerabilities in WordPress plugins that ship by default with the software, adding: 'WordPress users developing plugins must be aware of the security functions that WordPress supports, and ensure that these functions are used in their code.'"

Blogs are vunerable?

[iknownuttin]

So, how's a huge problem? If anything, some blogs need to be hacked to have some decent content on them!

Re:Blogs are vunerable?

[speculatrix]

at my previous job there had been a programmer who used the same password for *everything*, and I do mean everything... from the mysql logins (both "root" and regular webapp), web site logins, shell accounts and the ssh passwords needed to move data around!

I discovered he had a blog site, and guess what, his standard password worked on that too, both to login as him and as admin. Whilst tempted, I neither added nor deleted anything on his site, but I *did* go occasionally go through his blog posts and correct his spelling and grammar! He must have noticed because after many months of occasionally tweaking his content, the login finally stopped working. Yes, I'm talking about you, "smurphy" :-)

Re:Blogs are vunerable?

[kv9]

Newsflash: bloggers are idiots. Film at 11.

Thanks OSS!

[xENoLocO]

Open Source Software - Pointing out gaping-security-holes-that-you-can't-do-much-about -until-the-software-is-updated since 1980!

Re:Thanks OSS!

[Ynot_82]

Open Source Software - Pointing out gaping-security-holes-that-you-can't-do-much-about -until-the-software-is-updated-in-a-week's-time-by -some-volunteer-on-the-friendly- community-forum-of-said-software you mean that OSS?

Re:Thanks OSS!

[xENoLocO]

lol.. pretty much.

And mods, my original post is not flamebait... but the truth. It's one of the reasons to use OSS. If it has security holes, you're free to find them yourself.

Re:Thanks OSS!

[leenks]

Your original post would be more applicable to closed source software than open source. If a hole is reported in open source software you CAN do something about it immediately if you want.

Bloggers....

[s.bots]

...are generally wannabe journalists. I hope nobody here on /. is genuinely surprised at the results in TFA.

irony?

[dotpavan]

where is this article hosted? [blogsecurity.net] yes, wordpress powered site!

Re:irony?

[Anonymous Coward]

Is there really a problem if he's running his site on a non-vulnerable version? He's merely pointing out that there are a large number of Wordpress-powered sites out there that are vulnerable. Not ironic in the slightest.

Re:irony?

[Anonymous Coward]

the fud-tone is uncalled for.. if he believes in wordpress, good, and nothing wrong is showing faults, but the nyah-nyah-nyah tone seems to be bad..

How do you fix it?

[jshriverWVU]

As a wordpress user how do you fix it? I only blog to keep in touch with family and friend who live out of state. But it's been a fun project, though if it is easily exploitable I'd like to know how to fix it, and not just "you're site is EZly hax0red"

Re:How do you fix it?

[packetmon]

http://www.infiltrated.net/docs/modsecips.html [infiltrated.net] step by step... If its your own server... If not have the admin slap on mod_security for you and add the same rules in my previous post on this page... www.infiltrated.net/admin.php go for it... That's how I add content. There are a lot of variables to prevent against injections, etc.

Block Spam injections [pathf.com]

Directory traversal attacks SecFilter "\.\./"

XSS attacks
SecFilter "<(.|\n)+>"
SecFilter "<[[:space:]]*script"

SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"

Too many times there are clueless admins (not you per se). But this also tends to be one of the grips on the Ubuntu Document [infiltrated.net] people flame me for. If *semi* even experienced admins can't lock a machine down... Imagine when Ubuntu on Dell becomes the next hot thing. Flame as much as you'd like facts are facts

Re:How do you fix it?

[Anonymous Coward]

Mod security is an even bigger joke than your ubuntu article! [securityfocus.com] No web app should be vulnerable to directory traversal, XSS or SQL injection in 2007. If developers have made these simple mistakes, there's a strong possibility they made others that a band-aid will not fix.

Users should 'fix' wordpress by keeping upto date with the latest stable versions of PHP and wordpress; security is a process and not a product. Personally I wouldn't use wordpress, it may be one of the better written PHP web-apps but unfortunately that isn't saying much at all.

Re:How do you fix it?

[packetmon]

Your words are contradictory... You state Mod security is an even bigger joke than your ubuntu article! blah blah cry cry.. Then state keeping upto date with the latest stable versions... blah blah So does that mean if you kept up to date with mod_security its still a joke. A system is only as secure as you make it, and FYI I'm very aware of the pros and cons with modsecurity, PHP and most CMS systems in general. So your point is what.

Re:How do you fix it?

[Anonymous Coward]

My point is that you responded to a request from an end user with the wrong solution. Mod security is useful for providers who can silently patch vulns without requiring multiple hosted users stay current with their installed software.

It's not a solution for a single end user running WP in a shared hosting environment or virtual machine, their solution is to upgrade. Plus mod security requires you know how the web app works before you can write the rules, at that point it's as easy to patch the software itself for a single install.

Your ubuntu article overstates itself, sandboxing grannies activities and protecting sudoers/wheel is a good idea. You wrote an alarmist article that is almost indistinguishable from FUD.

Re:How do you fix it?

[packetmon]

I should have included the fix for the ASCIIZ bypass... So here goes..

SecRule REQUEST_BODY "@validateByteRange 1-255" "log,deny,phase:2,t:none,msg:'ModSecurity ASCIIZ Evasion Attempt'"

Now back to a response... My point is that you responded to a request from an end user with the wrong solution. It's not a solution for a single end user running WP in a shared hosting environment or virtual machine

You must be kidding? I have about 15 other sites hosted on the same box and my rules affect no one but my own site.

Plus mod security requires you know how the web app works before you can write the rules at that point it's as easy to patch the software itself for a single install.

So let me put this in logical terms via way of analogy... You want someone to just point and click run an application without them knowing a shizzle about how it works and why... They just want it up and running... Then at the same time you expect them to be savvy enough to 1) monitor for updates, 2) install those updates... So how different is this from me stating... By the way, here is an even SLICKER method for making SURE no one is going to touch your machine. Heck I could have avoided using mod_security and used .htaccess with a proxy server set to only allow localhost then do updates via ssh and links... Thats the fullproof method.

Regardless of the software I throw up, its UP TO ME as a USER to make sure MY IMPLEMENTATION of software is secure enough for ME. No vendor, FOSS developer person on the planet will release a patch in quick enough time for me. Hence security being pre-emptive and proactive. So I could care less if product_foo has updated versions or not. And one would have to be an ass to wait for a vendor to release a patch if there is something they could do to protect themselves in the interim... So analogy... Your house is starting to burn... You have a fire extinguisher near you and you dial 911... Do you a) wait for 911 to get their or b) try to do something in the interim. I don't know about you but I'm trying to put that fire out before my house burns. Fire department can get here when they do.

Your ubuntu article overstates itself, sandboxing grannies activities and protecting sudoers/wheel is a good idea. You wrote an alarmist article that is almost indistinguishable from FUD.

You're free to prove me wrong... Show factual information. I gave facts and proof.

Re:How do you fix it?

[Anonymous Coward]

You must be kidding? I have about 15 other sites hosted on the same box and my rules affect no one but my own site.

You're taking what I said out of context. As the ASCIIZ vuln proved, your software could still be vulnerable unless you upgrade. The solution is to upgrade, not to apply another level of complexity. If the web app has common vulns, the developers have probably made other mistakes and you are unlikely to have rules to protect against those. If your 15 sites were all user maintained WP installs, of course mod_security rules would make sense.

You want someone to just point and click run an application without them knowing a shizzle about how it works and why...

You have to know how an app works to be able to author mod security rules. What are users to do, copy them from some random website? Copy them from some stranger on slashdot? Are we really expecting users to learn mod_rewrite and mod_security just to run a modern web app? I'd prefer to patch an app in any language rather than resort to mod_rewrite or it's brethren.

Show factual information. I gave facts and proof.

No you gave a script that required root and then ranted about how this proves unix is not ready for granny.

Re:How do you fix it?

[cheater512]

Dude mod_security *is* a joke. Its a band aid solution.

What would do if a security flaw was found in your blog?
a) Update to the latest version.
b) Make a mod_security rule to block it.

If you choose a) then mod_security is redundant.
If you choose b) then your a idiot.

Re:How do you fix it?

[NeoThermic]

With a decent set of rules, mod_security isn't a joke. Who's to say that a nice 0-day won't pop up during that time you've decided to be out of the country? If your site is popular enough, boom, you're exploited before you have a chance to patch. There's a few rules that you can make that are generic enough to stop most basic automated attempts and simple POCs. These could give you enough spare time to patch the required item(s). Don't ever forget that security is an onion concept. Many layers helps, as if someone gets through one, there's another waiting right there. It's like the same reason why cars have seatbelts, airbags and crumple zones. Just one might save you in some instances, but there just might be one day where you're going to need more than just one.

NeoThermic

Re:How do you fix it?

[Anonymous Coward]

Instructions on upgrading WordPress. [wordpress.org]

This assumes you control where your site is hosted. If it's a WP install provided by your hosting provider, ask them if they're up to date, and if not nag them until they are.

(Now to see if posting AC cancels the mod points I'd already used here.. Ooh, a CAPTCHA!)

HTH, NickFitz.

Re:How do you fix it?

[notthepainter]

I maintain several WordPress blogs so this is of interest to me. Thank you.

On the other hand, my wife needs to write some WordPress blogs for a client and neither she nor the client want to "play computer." They just want to add content. I was looking around for what would essentially business class WordPress hosting. They don't want bluehost or dreamhost at $7/mo and you get to run Fastastico, they just don't want to do that.

Can anyone recommend a good, high quality, WordPress hosting company that handles all the tech work and just lets her handle the content?

Note, she'll need to have it off her domain so the "blogger" solutions are not appropriate. Also note, they can't afford me so I'm not an option!

Thanks

Re:How do you fix it?

[Anonymous Coward]

Can anyone recommend a good, high quality, WordPress hosting company that handles all the tech work and just lets her handle the content?

Hmm, perhaps Wordpress.com [wordpress.com]? I'm fairly certain that they offer hosting on your domain name now, not just at username.wordpress.com.

(Not a shill, just trying not to undo my moderations.)

Re:How do you fix it?

[galaxy300]

What about custom domain mapping [wordpress.com] with WordPress.com? They maintain everything for you.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:How do you fix it?

[Anonymous Coward]

If they don't want to "play computer", maybe they should just fuck off. How about that?

Re:How do you fix it?

[666999]

Interestingly enough, Dreamhost doesn't use Fantastico. They have their own custom panel, with many fewer features than CPanel with Fantastico.

This means Dreamhost customers have to update their Wordpress installations manually.

A trivial matter to most of us here, but for those that have become accustomed to using Fantastico's 'Your Wordpress Installation is out of date! Click here to upgrade' it's a good deal more time-consuming.

self-updating

[dr_hooch]

Maybe Wordpress could offer tools to help users better manage updates. Firefox does a great job these days.

Re:self-updating

[Alphager]

Maybe Wordpress could offer tools to help users better manage updates. Firefox does a great job these days.

An Application messing up files past my package-management system? Not on my system.

Re:self-updating

[Anonymous Coward]

I personally would love to be able to update my Wordpress blog and install the appropriate patches. But my hosting company uses an older version, which they have not updated, and which does not work with many of the latest patches.

My choices are therefore to remain vulnerable through no fault of my own, or find another place to transfer my site who will support everything (including several MySQL databases as well as the blog), but not charge me more than I can afford.

Oh noes!

[Wolfger]

Now I have to stop posting replies on Slashdot, or the script kiddies might hack my site.

Re:Oh noes!

[Anonymous Coward]

thank God

Time for web applications to grow up

[Bogtha]

I think it's about time web applications like WordPress included an update service. Put update notifications into an Atom feed pointing to tarballs incorporating an update script, patches, etc, and label them as security/minor/major. Have the system periodically retrieve them, automatically apply the security updates, and prompt the admin next time he logs in to apply the others.

The only difficulty is that the developers need to have proper release management. No more bundling security fixes into whatever the latest development version is. No more releasing updates that fiddle with styles at the same time as fixing serious bugs. I don't think that's feasible for many web applications, but it's certainly achievable for bigger projects like Wordpress.

I can't think of any web application that does this already off the top of my head. Does anybody know of any projects doing this?

Re:Time for web applications to grow up

[drinkypoo]

I can't think of any web application that does this already off the top of my head. Does anybody know of any projects doing this?

The closest thing I can think of is that there is a module for drupal that will check for updates and inform you. Last I checked it would give you download links, but that's as close as it got to installing them. I wrote a module installer at one point (I think there is one, but I actually did an integration job) but then a better release monitor was released, and so I abandoned my code.

I actually did hack up Drupal to do module updates, though, and I'm not much of a programmer. So it's not that hard a job. It might have been done already, but I haven't checked.

Re:Time for web applications to grow up

[PCM2]

The default login screen for Wordpress does indeed automatically inform you of new updates. The problem is, it doesn't really seem to explain them properly. If I load it up right now, there's a notice telling me that Wordpress 2.2 was released 9 days ago. If I originally installed Wordpress longer than 9 days ago, this notice should be enough to tip me off that there's a new version available. Nowhere, however, does it explain that the 2.2 release supercedes the 2.1.3 release and that the 2.1.3 release should be considered insecure. In fact, immediately prior to the notice about the 2.2 release is a notice saying that the latest security update to the 2.1.x tree is available. Many people would be willing to upgrade their Wordpress install to get security updates. Fewer, I suspect, would be willing to upgrade to a full point version release just for kicks.

Re:Time for web applications to grow up

[drinkypoo]

The Drupal module tells you when there are critical security-related updates, so it had that much up on Wordpress, but that's about it.

Re:Time for web applications to grow up

[fatphil]

re your sig: 'The "Overrated" moderation exists only to facilitate abuse.'

What should I do when I see a post containing gross factual inaccuracies moderated as "informative"?

There really ought to be other downward moderations, but while there isn't a "just plain wrong", one _has_ to use "overrated". One might posit that for every type of moderation there ought to be an equal and opposite one.

Informative <-> Wrong
Interesting <-> Tedious
Insightful <-> Well duh!
Funny <-> 3 Stooges

Re:Time for web applications to grow up

[drinkypoo]

What should I do when I see a post containing gross factual inaccuracies moderated as "informative"?

That's a great question. I don't have a good answer. Perhaps I will change my sig a touch. Something to the effect of that the fact that it does not go to metamoderation provides only for abuse.

There really ought to be other downward moderations, but while there isn't a "just plain wrong", one _has_ to use "overrated". One might posit that for every type of moderation there ought to be an equal and opposite one.

I agree wholeheartedly. Perhaps the answer would be to overhaul moderation slightly such that you could simply spend your modpoint to cancel an earlier mod. The cancellations would appear in metamoderation marked as such.

Re:Time for web applications to grow up

[Anonymous Coward]

I can't think of any web application that does this already off the top of my head.

Web applications run when someone out there on the internet hits the website. Should every invocation of the web application check for updates and apply them before the user gets their webpage? If two people hit an unpatched website, should it download and install the updates twice, or should the update system have some form of mutually exclusive locking, forcing the second user to wait a few extra seconds while the first user's request updates the system? Finally, webapps are typically run by the webserver as whatever user the webserver runs as, meaning that if a webapp wants to update itself, it has to be writable by the webserver, which is a recipe for disaster.

Web application packaging needs a lot of work, but automating it from the webapp itself isn't the answer.

Re:Time for web applications to grow up

[laffer1]

Most applications that do update checks I've used only do so from the administration interface. e107 and jforum both check for updates. (php and java apps) Its possible to do the checks. However, downloading updates means the webapp has to have space to download files automatically. From a security perspective, it seems stupid to add this feature unless the webapp already needs writable space. The update feature could introduce an additional attack vector.

Re:Time for web applications to grow up

[hkgroove]

Simple Machines [simplemachines.org] does a decent job. Usually releasing patch files that you download from their site via the admin panel or uploading them directly and installing them.

Re:Time for web applications to grow up

[AKAImBatman]

I think it's about time web applications like WordPress included an update service.

It depends on what you mean. Wordpress already tells you when a new version is available. What it doesn't do is automatically install it for you. In the case of PHP apps, this is a good thing. (At least, as far as running a PHP app in the first place can be considered a "good thing".)

Wordpress installations rarely run the vanilla software. Usually the look has been customized by modifying templates and/or plugins have been added to provide new functionality. In order to do either of these tasks, you have to modify the PHP code. Wordpress provides an easy-to-use interface to do this, but it doesn't help anything if you upgrade your system. Your look and customizations will go "poof!" the moment you untar that new version. Thus upgrading is a rather painful process that requires that users backup and reapply all their modifications. That's why no one ever upgrades PHP apps if they can help it. :-/

Re:Time for web applications to grow up

[PCM2]

Wordpress provides an easy-to-use interface to do this, but it doesn't help anything if you upgrade your system. Your look and customizations will go "poof!" the moment you untar that new version.

Actually, this isn't true -- provided you use some common sense about how you customize your Wordpress blog. It doesn't make a lot of sense to go ahead and apply all your customizations to a theme called "default," for example (though I'm sure that lots of people do this). When you go and untar the new version, the "default" theme will be overwritten, as you point out. But if you had taken the time to make a copy of the default theme before you started mucking with it -- into a directory called, I dunno, "mytheme," perhaps -- your theme wouldn't get overwritten by anything in the tarball and your look and customizations would still be there as soon as you upgraded your database.

More of a hassle, I suspect, is that a lot of people run Wordpress on CPanel hosts -- CPanel is a popular server management platform that lets shared hosting customers control their sites without shell access -- and CPanel does not make it particularly easy to upgrade Wordpress. On a lot of hosts I've seen, for example, the function to extract a tarball is configured to never overwrite any files. So far as I can see, the only way to upgrade Wordpress is to rename your current install to a directory called "wordpress-old" or something, then extract the tarball, then copy over all of your modifications by hand using a Web-based file manager. I imagine this is pretty much beyond the capabilities of many Wordpress users. (But then, nobody is forced to maintain their own blog software. I suspect many do it out of a misguided sense of "leet"-ness.)

Re:Time for web applications to grow up

[AKAImBatman]

But if you had taken the time to make a copy of the default theme before you started mucking with it -- into a directory called, I dunno, "mytheme," perhaps -- your theme wouldn't get overwritten by anything in the tarball and your look and customizations would still be there as soon as you upgraded your database.

That's assuming, of course, that you can use the old template. The new versions might contain changes to the modified files that can't be simply copied over.

Not that I'm disagreeing with you about the importance of separating out your template. :)

Re:Time for web applications to grow up

[PCM2]

That's assuming, of course, that you can use the old template. The new versions might contain changes to the modified files that can't be simply copied over.

They might. In practice, they seldom seem to -- Wordpress may change but the APIs seem pretty stable. But, yeah, this is one of the things that makes Wordpress sort of a PITA.

Re:Time for web applications to grow up

[jcam2]

From a technical point of view, this isn't usually possible. On most servers, web applications don't have the permissions to update themselves - the PHP scripts are run via mod_php as the 'httpd' or 'apache' user, while the scripts themselves are owned by whatever Unix account was setup to own and manage the domain. Sure, some hosting services run PHP scripts as the Unix user who owns the domain, but they seem to be in the minority.

The updates are better done by the hosting control panel, assuming that it is one that supports automatic script installation like Virtualmin [virtualmin.com] or Fantastico.

Securing LAMP

[packetmon]

Securing LAMP [infiltrated.net] Mod Security [modsecurity.org] Its so simple a fix with mod_security...

SecFilterSelective REQUEST_URI /admin.php chain
SecFilterSelective REMOTE_ADDR "!^YOUR.IP.ADDRESS$" redirect:http://www.infiltrated.net/sorry.jpg
SecFilterSelective ARG_username YOURUSERNAME chain
SecFilterSelective REMOTE_ADDR "!^YOUR.IP.ADDRESS$" redirect:http://www.infiltrated.net/sorry.jpg

Where your IP address and your username are the only ones to allow anything to the admin page. Anything else gets redirected elsewhere.

Re:Securing LAMP

[Anonymous Coward]

Mod security is a good solution for hosting providers who allow their users to install 3rd party web apps.

It's not much of a solution for anything else. Specifically if you're running your own server, why are you running shit that requires you place sensitive scripts above web root to begin with? Even then why learn another mod_rewrite style config language when you can do something like this...

<?php
# admin.php
 
require_once('/srv/www/secure_php_inc lude/admin_data.php');
 
# This could just as well be in the include
if (in_array($_SERVER['REMOTE_ADDR'], $admin['AUTH_ADDR'])===false)
  header('Location: http://www.infiltrated.net/hello.jpg');
 
# etc...

Even automating it across upgrades is easy... for someone capable of admining their own server.

Re:Securing LAMP

[David Off]

Yes, that is a simple solution for most people and saves having to load up your network stack with mod security. Of course renaming the admin directory/login script will keep 99.999% of hackers out, as well as making it less than obvious that you are running wordpress (remove wordpress from any of the pages). Security by obscurity will keep all the script kiddies off your website and the serious guys are attacking stuff like banks not blogs.

Re:Securing LAMP

[packetmon]

Not always the case. Depending on which PHP CMS you use, many reference admin.php which means you would have to do something like... find . -name "*.php" | perl -pi -e 's/admin.php/newname_of_page.php/g'

Re:Securing LAMP

[Juergen Kreileder]

I only allow access to the admin pages when the client presents a known SSL certificate: Securing WordPress 2 Admin Access With SSL [blackdown.de]

Incomplete headline

[Gothmolly]

Study finds most WordPress blogs vulnerable, content-free

Fixed that for you.

Time to upgrade again

[umrguy76]

At least the WordPress site offers easy to follow directions.

http://codex.wordpress.org/Upgrading_WordPress [wordpress.org]

SQL injection?

[tcopeland]

An article about a Wordpress vulnerability [blogs.com] from last month sounded like a SQL injection flaw, and Secunia has a bunch listed here [secunia.com]. Mostly DOS and cross-site scripting... plus some "unspecified"...

My personal experience...

[Anonymous Coward]

I installed WordPress once. Right after 2.0 came out. I tested it out for a few days and decided I did not like it. However, like a fool, I left it installed. About six months later I rebuilt that particular server and as I was copying over my MySQL database, I found a ton of crap in the MySQL database directory named things like "C:\windows\system32\???.dll" -- obviously the sploit was unaware that I was running a *NIX platform.

Nevertheless, there were a TON of crazy dll and exe files in there that all had timestamp dates AFTER I installed WordPress.

Wordpress

[wumpus188]

The problem with WP that it is a major pain in the ass to update, especially if you're running somewhat customized installation. Besides, most bloggers are not technical people and just use whatever version someone installed for them (or installed by their provider).

Re:Wordpress

[GiMP]

The problem is that even if someone is technical, they're either too busy blogging, or too busy *not* blogging to care. Wordpress has had a lot of vulnerabilities recently, so these results are no surprise at all.

Re:Wordpress - a correction

[cweditor]

Just for the record, as far as I can tell, Wordpress 2.2 was not a security fix. It includes new features and addresses bugs, but I looked through the list of tickets closed in the release of 2.2 and did not see that any security issues were addresses by that newest version. 2.1.3 was a security fix, which users were advised to install promptly (and I did)

2.2 fixes bugs I never noticed and new features I didn't immediately need, so I can see why even good blog administrators might have waited to upgrade this one. I'm not sure BlogSecurity is correct to say 2.2 is the only secure version.

For people using Web hosts with control panels and doing installs and upgrades through a control panel like "Fantastico," the latest version they're offering is 2.1.3.

I agree that Wordpress is a bit of a pain to upgrade if you've done customization. I also like to manually back up my databases before I install a new version. The whole process takes about half an hour if I include the downloading, untarring, killing off files manually, and so forth.

Re:Wordpress - a correction

[dbzero]

But with WordPress you can't be sure there isn't a security fix [sencer.de] in a latest version.

Re:Wordpress - a correction

[mk_is_here]

Run your WordPress using the working copy checked out from the WP repository. Upgrading your blog with a single svn switch command works like charm.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Wordpress

[teslatug]

I use DreamHost, they make updates to WordPress pretty simple.

Better Title/Article:

[Anonymous Coward]

Survey Finds Most WordPress Blogs Useless.

People run old software? Really?

[madsheep]

This will sort of mirror what I've responded with on Full Disclosure. The first issue is that there really are not any details on this "survey" that was done. I am pretty sure I could conduct a survey that had 1000 WordPress blogs where only 1 of them was a vulnerable version. I am not saying there aren't plenty of older/vulnerable versions out there, but I think you get the point. The second issue is that relying on your extraction of a version number does not mean it's actually vulnerable. Patches or other mitigations could be in place.

So if it's news to you that people run old and/or vulnerable software, then this might be something new. Otherwise it's just what I would expect.

what about Blogger?

[slashthedot]

I hope blogger isn't that vulnerable! Perhaps Google is better at security than WP guys.

Re:what about Blogger?

[Cairnarvon]

What? It's not under WP's (or Google's) control if people who run their blogging software themselves don't remember to update often. All WordPress.com blogs are automatically updated to the latest version. This is about people who have a WordPress blog on their own webspace.

This doesn't have anything to do with the WordPress crew sucking at security, just their users.

Not just wordpress

[Anonymous Coward]

Not even just badly written yet inexplicably popular PHP bulletin boards.

It's common for idiots to set up virtual servers and not bother updating any of the software. We should have some form of liability for folks who connect a machine to the internet and fail to patch security vulns in a reasonable time frame. We'd all be better off if virtual servers set up over 2 years ago were patched or removed from the net.

Some perspective please

[rueger]

I'm the first to admit that I would love an automated update for Wordpress - the current manual updates are just enough of a pain that invariably they get delayed.

That said, let's get some perspective on what is described by the author as "a desparate (sic) attempt to try and educate WordPress Plugin developers to some of the common security problems that can occur."

From a quick reading of the guy's postings, these weaknesses really only allow one thing: Admin access to the Wordpress site.

For the vast majority of sites this is really not a life threatening situation - if you're pOwned your best friends might lose access to your archive of cat pictures and right wing political ramblings. Or you might lose the $4.98 a month in Adsense revenue that you're counting on to fund your retirement.

Those sites that actually matter to a business or organization are the ones most likely to be properly updated and backed up.

Not really cause to lose much sleep here....

Quelle suprise!

[nevali]

Clueless people running $software don't keep it up to date! Film at 11!

You either do it yourself and accept the consequences, or find a host with a clue. wordpress.com will even host it for you for the ultra-easy-free option (though they'll charge for extra features).

Just like... well, everything else you might run on a server. Including the OS.

I was hacked...

[TheGreatOrangePeel]

As someone who has just recently been hacked (Druapal 5.1, not WordPress, but I almost went that direction) I can say that I've recently seen my fair share of hacked Wordpress sites (via links to/from referrers) that have been listed as 'defaced' with, "Attack Technics : FTP Protokol" listed on the bragging-rights page. In my particular case it was because my hosting service allows anonymous FTP uploads(?!) with no 'correct' way to disable it (???!!!) -- my solution was to allow 0KB of FTP transfer for anonymous users.

For those whishing to see for themselves and laugh/shutter/worry, etc they can do so by clicking here AT THEIR OWN RISK [turk-h.org].

Re:I was hacked...

[cybermage]

In my particular case it was because my hosting service allows anonymous FTP uploads(?!) with no 'correct' way to disable it (???!!!)

So, this had nothing to do with Drupal, right?

Re:I was hacked...

[TheGreatOrangePeel]

I shure as hell hope so. Before this post and after making the changes to FTP quotas, I had 41 hits from that page and have not been hacked again.

I did make one other change: I moved the install.php file out of my web directory. However my statistics (AWStats) do not show any access to that file for the time period.

I was able to recover well enough with some decent backups (mysqldump) and some help from the Drupal forum.

If I have any more updates on this, I'll be posting them in the drupal forum [drupal.org].

So I read this as...

[moore.dustin]

So Wordpress is not secure and its users do not know how or perhaps do not even care to make it secure. That, to me, means that if WP does not change its delivery and security by default, tons of blogs will be compromised. That therefore means the market will be wide open for a service that has a secure code base that can be updated easily.

Good riddance if that is the case. If they cannot adapt to the needs of its users, they deserve what will come to them, though their users do not :(

It's a trap!

[dsaraujo]

I'm a blogger, but I can see some conflict of interest in TFA.

How did BlogSecurity get this information?

[noshrinkwrap]

The article says:

"BlogSecurity incrementally harvested the WordPress software version from 50 blogs"

What does incrementally harvested mean? How did BlogSecurity obtain the version info from the blogs it polled, and how did they go about picking which blogs to poll?

There seems to be a lot of FUD in this article, and it's quickly cobbled together. There's no discussion on *how* vulnerable each version is. 2.1.3 was released April 3, but is discarded simply because the latest stable version is 2.2. Version 2.2, a major feature update version, was released only 8 days ago, and I imagine many people like me are waiting to upgrade until a couple of updates have passed.

Basing a security statement of frightening, alarming proportions solely on what version software people are using to drive personal blogs without any further research on what specific security holes exist (and how easy they are to exploit and what privileges or access they give) is, in my opinion, FUD.

Re:How did BlogSecurity get this information?

[Anonymous Coward]

How did BlogSecurity obtain the version info from the blogs it polled, and how did they go about picking which blogs to poll?

As a guess, they probably searched Google for the phrase "Powered by WordPress" (in the default template), then pulled the HTML and looked for the following tag in the HEAD segment:

<meta name="generator" content="WordPress $version" />

Comment removed

[account_deleted]

Comment removed based on user account deletion

meanwhile, in other news...

[Anonymous Coward]

100% of WordPress *programmers* can't code secure software.

Remind me again why it's the *user's* responsibility to deal with the problems of junky software?

Apparently, it's possible to write secure programs in PHP (I know, I know, but that's what folks on slashdot say). So what's the dealy-deal? Why don't they fix the bugs in WordPress since it's so popular?

someone set us up the RPC

[Anonymous Coward]

all your blog are belong to us

It should be noted

[Anonymous Coward]

That the 49 blogs weren't running the up to date version. If people would just update the version they were running they'd be safe. Once again you can chalk this up to user error.

yet another vulnerability

[Anonymous Coward]

Pretty much everybody agrees that Wordpress code is mess. One of recent vuln. http://ha.ckers.org/blog/20070524/wordpress-vulns/ [ckers.org]

I'd be happy if my wordpress site gets hacked

[fan of lem]

at least I know it gets some hits.