Attacks On WordPress Sites Intensify As Hackers Deface Over 1.5 Million Pages (bleepingcomputer.com) 119
An anonymous reader writes: "Attacks on WordPress sites using a vulnerability in the REST API, patched in WordPress version 4.7.2, have intensified over the past two days, as attackers have now defaced over 1.5 million pages, spread across 39,000 unique domains," reports BleepingComputer. "Initial attacks using the WordPress REST API flaw were reported on Monday by web security firm Sucuri, who said four groups of attackers defaced over 67,000 pages. The number grew to over 100,000 pages the next day, but according to a report from fellow web security firm WordFence, these numbers have skyrocketed today to over 1.5 million pages, as there are now 20 hacking groups involved in a defacement turf war." Making matters worse, over the weekend Google's Search Console service, formerly known as Google Webmaster, was sending out security alerts to people it shouldn't. Google attempted to send security alerts to all WordPress 4.7.0 and 4.7.1 website owners (vulnerable to the REST API flaw), but some emails reached WordPress 4.7.2 owners. Some of which misinterpreted the email and panicked, fearing their site might lose search engine ranking.
Re: (Score:1)
Don't worry, a fully autonomous self driving car is just a software problem.
Re: (Score:2)
Nope. They won't blame their precious 5$ web hosts. Instead, for some reason I still struggle to grasp, they will instead blame the web coders they didn't hire, who warned them not to use WordPress in the first place, as well as "all versions of PHP itself," regardless of host configuration.
Re: (Score:1)
I don't know buddy. I've never had problems with ASP or ColdFusion. Tens of thousands of users at a time, and they work just fine.
The reason I hate WordPress is PHP. (Score:4, Insightful)
Just why did PHP become so popular, anyway? I really don't see the attraction. Now WordPress would be a wonderful thing, if only they'd ditch the PHP. It would be a little harder to customize and extend, but far from impossible. Worst case, we could supply a scripting language ONLY for custom extensions. Basically a macro language. Python's embeddable.
(No, I don't consider a widely used API to be a custom extension. That's part of the core.)
More opinion: in a production system, scripting languages and macros should be only for custom extensions, and never for core code. There should never be scripts BEHIND an API. If WordPress were written in a compiled language and run as a binary, it would be less easy to hack. But not C. Those damn pointer arithmetic exploits...
Re:The reason I hate WordPress is PHP. (Score:4, Insightful)
Everything you said is more or less true, but, the bigger problem is that WordPress and many other software packages are written by people who are just plain incompetent and/or stupid. They either don't give two shits about security or are to stupid to figure it out.
Which is why they use PHP? (Score:2)
I tried WordPress for a while, and I tried some PHP coding. I'm a tad bitter.
Re: (Score:2, Funny)
"or are to stupid to figure it out"
It's 2. You want to spell it "2 stoopud".
Re:The reason I hate WordPress is PHP. (Score:5, Insightful)
The flaw was specifically made possible by PHP's eagerness to convert malformed strings to best-guess integers instead of raising an error like any sane programming language. You didn't read TFA [sucuri.net], did you?
Parent is mostly correct, except where he lumps together all "scripting" languages. This isn't a problem with "scripting" languages, it's a problem with languages like PHP that were designed by people who had no idea what they were doing. Worse, PHP is designed to be deployed in a way that encourages mistakes (PHP files directly in the webroot). PHP security is a game of whack-a-mole where if you forget to whack all the moles in one of your scripts, your site is toast. This wouldn't have happened with a sane scripting language, like Python.
$ php7.1 -r 'echo (int) "123test";'
123
$ python3.5 -c 'print(int("123test"))'
Traceback (most recent call last):
File "", line 1, in
ValueError: invalid literal for int() with base 10: '123test'
Re: (Score:1)
joomla is just as fucking broken and riddled with security holes as wordpress is.
Re: (Score:2)
Oh, I agree that JavaScript is full of WTFs. Not nearly as many as PHP, but plenty going around. I wouldn't write a web backend in node.js either, even though many people seem to think that's a good idea.
Joomla is just as bad as WordPress. I just spend last weekend cleaning up a compromised server that was running an outdated Joomla version managed by other people. Ended up sandboxing it in a VM to make sure that if it gets pwned again it doesn't start sending spam nor has access to any sensitive informatio
Re: (Score:3)
I don't agree. A good language keeps you from shooting your foot off even if you are inadvertently aiming at it. How many of PHP arcane rules must a programmer keep in mind? Must s/he constantly use PHP to keep the rules in the head so as not to trip over them. A good example of how to do it right is Haskell. The typing system is a bitch but you won't get away with any inadvertent type casts.
Re: (Score:2)
That's stupid.
Look at the way Java/C# make it impossible to dereference null or exceed array bounds. You can say C programmers are just being clumsy, but look at the consequences: buffer-overrun issues are still a continuing problem... in C programs. Not in Java. Your blame game gets us nowhere. Engineering solutions do.
You really have to give Java/C# some credit: their design categorically eliminates those categories of bugs.
(And yes, they pay a performance cost for this.)
Re: (Score:2)
That premise is nonsense. By your definition, there is no stupid design, as long as it is accurately documented.
Just because it's documented doesn't make it not stupid. There is such a thing as the principle of least surprise. PHP almost seems to try to be as surprising as possible, in all the wrong ways.
Re: (Score:3)
Like everything if you RTFM it works as described. If you are coding PHP you would know this behaviour.
I disagree that most or even many PHP programmers know this issue. A few months ago I demo'ed an exploit in code that a coworker wrote which had the same flaw, this time in comparing MD5 hashes. He had been using PHP for all of his professional career and had no idea how PHP compares strings with leading digits.
Of course, I only knew about the issue because of a similar bug that I wrote, sometime a bit over a decade ago. At that time I had been using PHP for over five years.
So the maxim "know your tools" st
Re: (Score:2)
String comparison in PHP is broken between two strings. Nothing to do with types. You can't compare two strings with ==, it doesn't work properly (it works most of the time and becomes a security hole when you least expect it). Since clearly you think PHP is the bees' knees and documentation is everything, of course you knew this, right?
Now tell me in what universe it is reasonable for the == operator to be unable to compare two strings correctly.
Re: (Score:2)
IIRC, early php inherited some features from Perl, including logic to convert scalars to numbers I'm guessing.
Perl has the same subtle problem, but at least you'll hear about it if you follow best practice and enable warnings:
Conversion is not validation (Score:2)
Value conversion isn't necessarily the same as validation. If you want validation, then use validation operations. Use the right tool for the job.
Re: (Score:2)
Except Python is 4 years older than PHP.
Re: (Score:2)
Not entirely a troll. Some languages make it easier to have terrible consequences for a minor error than others. Some are more likely to complain and error out when something that looks mistake like happens.
In this case, deciding that int('123test') = 123
Re: (Score:2)
Brainfuck is clearly documented. Heck, it's so simple you can explain it in about two sentences. It is trivial to write a bug-free Brainfuck interpreter. You can even compile it to C.
Does that make Brainfuck a good language to write a website in? No, no it doesn't.
Re: (Score:2)
It is clearly documented that putting your hand in a spinning saw blade will cause severe injury, but we still have a blade guard.
Re: (Score:1)
> Just why did PHP become so popular, anyway? I really don't see the attraction.
You've heard the expression, "good, fast, cheap - pick two"?
PHP is fast and cheap.
Re: (Score:3)
PHP was slow as molasses until recently, and cleaning up compromised servers after you get pwned isn't cheap, nor is maintaining a legacy code-rotting PHP codebase, which is what PHP encourages.
PHP became popular because it was easy back when the dynamic web was getting started and people just wanted to write quick hacks. By the time people realized it was a terrible idea we had legions of PHP coders who thought they knew what they were doing, and tons of PHP frameworks evolving from toys to something that
Re: (Score:2)
PHP was slow as molasses until recently, and cleaning up compromised servers after you get pwned isn't cheap, nor is maintaining a legacy code-rotting PHP codebase, which is what PHP encourages.
The AC is actually correct. The term good-fast-cheap is usually referred to Project management triangle [wikipedia.org] which is not the same as what you are thinking. It does not really apply to maintenance part. Though, It partially applies to running speed (quality of the product).
LAMP rules. Get over it. (Score:2, Insightful)
The reason I hate WordPress is PHP.
LAMP rules. Get over it. Yes, PHP is awkward (said it myself [slashdot.org]) and I don't particularly like it that much either. But show me another web PL that does what PHP / LAMP does.
Hello World in PHP is "Hello World." There. Done. Upload a bunch of PHP files on to a LAMP setup, type in the URL in the browser and watch magic happen. No compiling, no appserver to babysit 24/7, no race conditions. Pure simple stupid procedural turing complete web template logic with some nifty utility
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re:Great. (Score:5, Interesting)
The only secure way to use WordPress is as a static site generator, where the live version is deployed with no dynamic functionality and the administration backend is secured by a layer above WordPress (e.g. HTTP BASIC authentication).
WordPress isn't particularly terrible code, but it is written in a particularly terrible programming language where it's practically impossible to write something secure because things are insecure-by-default and you're expected to defend against all the gotchas explicitly.
Re: (Score:2)
Wordpress isn't terrible code, but it is terribly well thought through from a security point of view. Think of it like design decisions in Windows XP which lead to most users logging in as Administrators. Wordpress's killer features are its extensibility. This allows a LOT of crap code to come into Wordpress installations due to no fault of its own.
I remember my own Wordpress site turning into a spammachine. I had the entire administration system locked away to only allow access from a local IP address. I h
Re: (Score:1)
You should patch it to /dev/null. It’s the only way to be sure.
Plea for simplification: static HTML (Score:5, Insightful)
It is absurd how much computing power is wasted on dynamically generating what is effectively static content, like blogs.
A simple blog should not require an SQL database and complex software stacks that are executed whenever someone visits the site.
Instead, consider using a static website generator like Pelican [getpelican.com], or one of the many alternatives [staticsitegenerators.net].
Write articles and blog posts in a simple, human-readable markup language such as Markdown or ReStructuredText.
Manage your documents in git. Run the generator to recreate the HTML and update Atom/RSS feeds.
The resulting website is blazing fast and can be hosted on dirt cheap servers.
More simplicity on the Internet please.
Re: (Score:1)
Simplicity on the internet only works for intelligent people who understand how the internet works. Stupid people need gigabytes of hand-holding frameworks to accomplish anything.
Ironically, git is too complex for actual gits to use.
Re:Plea for simplification: static HTML (Score:4, Insightful)
This.
The irony is that any WordPress site getting any reasonable amount of traffic is already using WP-Super-Cache... which generates static HTML pages for public content to be served directly from the web server. So they get the worst of both worlds: caching issues and a dynamic backend that is still just as susceptible to exploits as without the cache.
Re:Plea for simplification: static HTML (Score:5, Insightful)
You say this as someone who knows what they are doing. Markdown? Restructured text? Git? You've just gone beyond the expertise of 99% of blog writers out there.
Wordpress's killer feature is not that it dynamically renders content, its that it allows a complete idiot to dynamically generate it.
Remember the alternative? Remember people typing word documents and saving them as HTML files? If you don't provide a dead simple online WYSIWYG editor with instant publish features and without the requirement to install software on a machine, any proposal you come up with is DOA.
Re: (Score:2)
But it does look prettier...
Re: (Score:2)
It is absurd how much computing power is wasted on dynamically generating what is effectively static content, like blogs.
A simple blog should not require an SQL database and complex software stacks that are executed whenever someone visits the site.
I absolutely agree with this...in theory.
Instead, consider using a static website generator like Pelican [getpelican.com], or one of the many alternatives [staticsitegenerators.net].
Okay, let's do that. Hrmm...not in Softaculous, or the other one-click install options at Godaddy or Hostgator. That's annoying, but it's only one time, so let's check the website...Hrmmm...no 'download' area from the front page...documentation I guess? Great! They have an install instructions area! ...that is full of CLI installation commands and doesn't provide a download link at all for shared hosting environments. Also, while PHP support is near-universal on shar
I almost believed in WordPress (Score:5, Interesting)
I subcontract with marketing companies so I work with some aspect of WordPress development on a daily basis. The standard groupthink from WordPress evangelists is that the security problems are behind us -- that WordPress core hasn't had a serious vulnerability in years, core has a review process, blame your out of date installations and inexperienced plugin developers.
For those not in the know, the REST API is something new to wordpress. Developers could get early access thru a plugin, but the API now comes included with WP4.7. There is so much buzz and excitement, even among wordpress people who have no idea what REST really is, few people questioned it because this meant WordPress can now take over the world.
I for one questioned it. When I saw REST enabled in 4.7 without a control to disable it my literal reaction was "Are you FUCKING kidding me???" I have experience in security. I understand attack surfaces. I have seen what a fiasco xmlrpc.php attacks are to wordpress. And these idiots open REST APIs to the internet by default? Jesus fucking Christ, I really don't think Matt Mullenweg or any of the other idiots running the WordPress show have any ability to learn from history.
Sadly, there is no evidence of other CMS's surpassing WP in popularity. You should get used to WordPress continuing to be the sendmail of php apps.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Drupal is written in PHP and features a REST API yet for "some" reason is compromised something like an order of magnitude less than WP. Oddly, when I was choosing between them, the WP install failed with a cryptic error and the Drupal install worked perfectly. Saved by fate!
Re: (Score:2)
Drupal does have it's advantages and security is one of them. It's biggest disadvantage is that with every major release the core developers change large chunks of API so any add-on you are using has to be upgraded to a stable condition before you as a website maintainer or developer can move forward. After X major rewrites of their plugin because the Drupal developers decided method Y was now the best way to go, many plugin developers give up - understandably - leaving you with no upgrade path if you were
Re: (Score:2)
Kudos to you. I did a quick survey of most of the checked modules in our site outside core. Drupal 8.0.0 was released November 19, 2015 according to Google and close to 60% of the modules we have in use have no D8 equivalent. A few have something at some stage of development, but nothing at even a alpha or beta release level. Some that do have D8 equivalents are only at alpha or beta stages.
The core developers do Drupal. The plugin developers generally work on drupal modules as a sideline or fun project.
Re: (Score:3)
I subcontract with marketing companies so I work with some aspect of WordPress development on a daily basis.
Doing agency work in the last few years I know my colleagues struggled with the process of managing WordPress within source control. If we built a website for someone based in WordPress we'd deploy it - but then if the customer upgraded it or installed a theme or something it would instantly be out of wack with what was in source control.
Managing the site in source control from there was a bit of a pain as you'd have to download the new version, add new files, commit differences, etc - every time there was
Re: (Score:1)
You should only put the theme and any plugins you wrote under source control. There's no reason to track the parts out of your control.
It also used to be the case that if the auto-updater detected source control on core, it would disable auto-updates.(manual updates initiated from the dashboard still can happen)
Dynamic content + shoddy plugins + monoculture (Score:4, Insightful)
Defaced already (Score:1)
The site is already defaced as soon as WordPress is installed.
So what alternatives do you suggest? (Score:2)
You've established that WP is not the solution. What do you suggest as a solution for less than tech savvy users who want to create good looking, fast, secure web sites?
Re: (Score:1)
Re: (Score:1)
There's not a great solution, only unperfection options.
They could use a managed website platform like SqureSpace [squarespace.com].
Or if they need WordPress, a less than tech savvy user can hire a professional management service like WP Site Care [wpsitecare.com] or OnSiteWP [onsitewp.com].
Re: (Score:2)
If you arn't able to hire someone with two clues to rub together (which is hard and expensive) use something that produces static websites. Unless you are hosting forums or something else that specifically requires code to do the work (like maybe, a comments section), there is zero reason to use a CMS.
In the old days Dreamweaver was The Thing. You can still use it, or various similar tools (eg: Flux on OSX) to create very beautiful but static code-less sites. If you have a lot of content that requires s
Re: (Score:1)
Security through obscurity not so bad? (Score:4, Interesting)
We all ridicule people who rely on security-through-obscurity. Incidents like this should make us take another look at that sentence: While we shouldn't rely on obscurity for protection, we shouldn't forget that it does help. Major platforms like WordPress are lucrative targets for hackers, who will spend a lot of energy searching for weaknesses they can exploit.
Using some lesser-known platform, or even rolling your own, makes you a less interesting target. Sure, you may (will!) have other vulnerabilities, but far fewer people will be hunting for them. This is a not-inconsiderable advantage.
Re: (Score:2)
Using some lesser-known platform, or even rolling your own, makes you a less interesting target. Sure, you may (will!) have other vulnerabilities, but far fewer people will be hunting for them. This is a not-inconsiderable advantage.
It's not an advantage since people are going to play all the same attacks against all the sites regardless of what they claim to be running, and since you are not a whole team of people you will almost certainly make several of the same mistakes and get owned anyway. If you don't know what you're doing when it comes to security, you are almost certainly going to do a worse job even than Wordpress, let alone Drupal. (Wordpress has a new major hole every other week; Drupal has only had a few of them total.)
Re: (Score:1)
My client just uses an ancient version of Wordpress that doesn't have the API feature yet - practically unhackable ;-)
That's less than 1.5 percent. No big deal really. (Score:2)
Since WordPress runs more than a fourth of the entire web (110+ Million Websites), 1.5 Million infected sites isn't all that much. Yes, WP is a mess and could use a redo, but then most legacy systems could, so what gives? WP is popular, is exposed via port 80 all over the planet and thus is a big fat jucy target. I'm glad Automattic (WordPress Corp.) is alive and well and doesn't try to be anything else than the herald of WordPress and it's (small) business arm and does it's dues by keeping up with patches
Which is right? (Score:2)
Funny how the URL says 15 million and the article says 1.5 million.
https://it.slashdot.org/story/... [slashdot.org]
Has Slashdot been defaced too?
WP auto-patching should have mitigated this better (Score:3)
So I have five separate personal WordPress sites for testing/hacking/tinkering and casually look after one for a friend. Every single one of mine updated on the day the patch for this problem was fixed.
I got email notifications from each of my sites notifying me they were updated before I heard about the problem. I read the WP blog post about it and thought "shit, that would have been a huge problem if my sites hadn't auto-updated!" and forgot about it completely.
(Incidentally, the next night I had a much, much higher than normal number of brute force login attempts. Not sure if related.)
I'd be very interested to find out why these 1.5m sites did not automatically update. I wonder if they're being manually updated or what the deal is. But if auto-patching worked as it was supposed to this vulnerability would have been mitigated much more quickly.
Re: (Score:2)
WP auto-updating does have its risks of course - we've seen WP 4.7 introduce this big vulnerability for example (though I believe you can hold back these "major" updates and do them manually). Plus a lot of admins would prefer a scheduled time/day to update - it seems that by default auto-updating is fairly random w.r.t to its scheduling. Plus you'd want to update dev/UAT first before live in case there is breakage. Also, as far I know, WP auto-updating by default doesn't backup the Web tree/DB first and ha
Re: (Score:2)
In my experience, the answer is "custom code and plugins". If you're running a bog standard Wordpress install with Akismet, FormNinja, Gallery, and a handful of the other top-20 plugins, auto-update is just fine and won't bother you at all. If you have a lot of custom layout code, or specialized plugins that are mission critical but not regularly updated, updating Wordpress can break them, thus breaking the website. Yes, it's stupid. Yes, this situation should not be the case. However, you asked thy people
/readme.html doesn't show exact WP version (Score:2)
Don't rely on /readme.html to show you the exact version any more for a recent WP install. They seem to have knocked off the third field, so versions 4.7, 4.7.1 and 4.7.2 all now say "4.7", which might scare someone into thinking they're still on the vulnerable 4.7.
Of course, you can log into your WP admin interface and find the exact version there, plus it's also present as the $wp_version variable in /wp-includes/version.php if you have access to the Web tree filestore.
Umm, peer review? (Score:1)
A developer's peers will generally know whether they provide good value or not. When preparing to do a performance review of a developer, ask for feedback about that developer from other developers on the team (and other co-workers they interact with on other teams).
Re: (Score:1)
Duh, sorry. Posted to the wrong story. :(
it’s fuckwits all the way down (Score:1)
Any web software or web developer who seriously uses the phrase “REST API” possesses by definition an understanding of how the web is meant to work that is 100% complete and 100% wrong. And security is 10,000% more difficult to learn and implement correctly than HTTP is, so why anyone still trusts either one to such know-it-all idiots is entirely beyond me.
Re: (Score:1)
APi, with a small i ?
Take out their families!
Re: (Score:1)
Seriously, the web is not an "API" at all, it's a distributed data graph: a giant state machine where the only permitted operations are reading state, changing state, and introspection, and data transfers are automatically transcoded to whatever representation is most mutually agreeable to client and server. Everything else—information access, emergent behavior, evolutionary flexibility and robustness—is defined and shaped by a handful of ridiculously simple, totally uniform, interaction rules o