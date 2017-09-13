Backdoor Found In WordPress Plugin With More Than 200,000 Installations (bleepingcomputer.com) 16
According to Bleeping Computer, a WordPress plug that goes by the name Display Widgets has been used to install a backdoor on WordPress sites across the internet for the past two and a half months. While the WordPress.org team removed the plugin from the official WordPress Plugins repository, the plugin managed to be installed on more than 200,000 sites at the time of its removal. The good news is that the backdoor code was only found between Display Widgets version 2.6.1 (released June 30) and version 2.6.3 (released September 2), so it's unlikely everyone who installed the plugin is affected. WordPress.org staff members reportedly removed the plugin three times before for similar violations. Bleeping Computer has compiled a history of events in its report, put together with data aggregated from three different investigations by David Law, White Fir Design, and Wordfence. The report adds: The original Display Widgets is a plugin that allowed WordPress site owners to control which, how, and when WordPress widgets appear on their sites. Stephanie Wells of Strategy11 developed the plugin, but after switching her focus to a premium version of the plugin, she decided to sell the open source version to a new developer who would have had the time to cater to its userbase. A month after buying the plugin in May, its new owner released a first new version -- v2.6.0 -- on June 21.
I have pretty much given up at the idea of any somewhat ok CMS. They all are terrible, insecure, or take 6 months to figure out how they work for experienced programmers with clients who want things done yesterday. Drupal was such a nightmare that I never bothered to learn.
It seems easier to write your own code than to use such a system.
Wordpress is a joke. Easy to use but inpractical and a great example why you need an I.T. department to monitor and keep things upgraded.
Try Kirby CMS.
Agreed.
I built my own lightweight framework that I use for my clients projects.
I think it's a tradeoff. Do you need blogs, commenting, authentication, permission systems, easily updatable content by non-technical users, etc? For example, rolling your own authentication system is easy. Rolling your own that isn't vulnerable to DDOS and SQL-injection attacks is a really hard problem that people have already solved within most frameworks or CMS systems. In this case, a CMS might be worthwhile. However, ff you just need a couple of static pages that don't require regular changes, then ski
I think it's a tradeoff. Do you need blogs, commenting, authentication, permission systems, easily updatable content by non-technical users, etc? For example, rolling your own authentication system is easy. Rolling your own that isn't vulnerable to DDOS and SQL-injection attacks is a really hard problem that people have already solved within most frameworks or CMS systems. In this case, a CMS might be worthwhile. However, ff you just need a couple of static pages that don't require regular changes, then skip it. But if the client can't be bothered to spend the money and time for regular maintenance and security patches, then they should just be directed to a WYSIWYG end-to-end system that offers the whole thing as a managed service.
There is Django and several frameworks that are easy to learn and fairly secure if you know what you are doing. How many sites need all these things CMS provides? If they do then a complex monster like SharePoint might be useful but these are small unless you work for a fortune 500 company.
The people who use Wordpress are small business owners and most customers who want something cheap to setup and forget. Wordpress is defective by design as it doesn't auto update and have all the plugins auto update and b
some people with word press don't get shell / ssh (Score:2)
some people with word press don't get shell / ssh to the server. So the small business who does not want to pay for that (added costs at some hosts)
And they need to make edits without waiting for some managed service to make even the very small changes.
Has it been 6 weeks since the last WordPress exploit was reported? That shit runs like clockwork.
WordPress is not a CMS, it's a blog script playing dress-up. It was lousy code when it was first vomited forth in 2004, and having not changed much since, is utterly horrendous code now.
I say things like that often, and from experience I know that the only defenses of WordPress that ever get offered are argumentum ad populum canards, "it's so easy" (you chose it for yourself, not based on client needs), and "I
It's not 1980 anymore and coding is commonplace, and with it, bad code. Still, writing bad code is job that pays the bills for a lot of people who couldn't do better. Wordpress is the fast food of web development... cheap and crappy, but available everywhere and easy to hire/fire for. For most of its uses (blogs and small biz sites), the cost of a Wordpress hack and the subsequent cost to fix it or even re-create the whole thing again from scratch is probably still several times cheaper than hiring a "prope
Next time hire competent staff. Difficult, but possible!
Same here with old WordPress plugins being bought and used to install backdoors in people's sites. One can assume that a tried-and-true plugin would be implicitly trusted which makes this case more unsettling.
