Survey Finds Most WordPress Blogs Vulnerable

BlogSecurity writes "Security analyst David Kierznowski shocked bloggers yesterday with a survey showing that 49 out of the 50 WordPress blogs he checked seem to be running exploitable versions of the widely used software. He said, 'The main concern here is the lack of security awareness amongst bloggers with a non-technical background, and even those with a technical background.' Mr Kierznowski also uncovered recent vulnerabilities in WordPress plugins that ship by default with the software, adding: 'WordPress users developing plugins must be aware of the security functions that WordPress supports, and ensure that these functions are used in their code.'"

Blogs are vunerable?

[iknownuttin]

So, how's a huge problem? If anything, some blogs need to be hacked to have some decent content on them!

Re:Blogs are vunerable?

[speculatrix]

at my previous job there had been a programmer who used the same password for *everything*, and I do mean everything... from the mysql logins (both "root" and regular webapp), web site logins, shell accounts and the ssh passwords needed to move data around!

I discovered he had a blog site, and guess what, his standard password worked on that too, both to login as him and as admin. Whilst tempted, I neither added nor deleted anything on his site, but I *did* go occasionally go through his blog posts and correct his spelling and grammar! He must have noticed because after many months of occasionally tweaking his content, the login finally stopped working. Yes, I'm talking about you, "smurphy" :-)

How do you fix it?

[jshriverWVU]

As a wordpress user how do you fix it? I only blog to keep in touch with family and friend who live out of state. But it's been a fun project, though if it is easily exploitable I'd like to know how to fix it, and not just "you're site is EZly hax0red"

Re:How do you fix it?

[packetmon]

http://www.infiltrated.net/docs/modsecips.html step by step... If its your own server... If not have the admin slap on mod_security for you and add the same rules in my previous post on this page... www.infiltrated.net/admin.php go for it... That's how I add content. There are a lot of variables to prevent against injections, etc.

Block Spam injections

Directory traversal attacks SecFilter "\.\./"

XSS attacks
SecFilter "<(.|\n)+>"
SecFilter "<[[:space:]]*script"

SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"

Too many times there are clueless admins (not you per se). But this also tends to be one of the grips on the Ubuntu Document people flame me for. If *semi* even experienced admins can't lock a machine down... Imagine when Ubuntu on Dell becomes the next hot thing. Flame as much as you'd like facts are facts

Re:How do you fix it?

Mod security is an even bigger joke than your ubuntu article! No web app should be vulnerable to directory traversal, XSS or SQL injection in 2007. If developers have made these simple mistakes, there's a strong possibility they made others that a band-aid will not fix.

Users should 'fix' wordpress by keeping upto date with the latest stable versions of PHP and wordpress; security is a process and not a product. Personally I wouldn't use wordpress, it may be one of the better written PHP web-apps but unfortunately that isn't saying much at all.

Re:How do you fix it?

[NeoThermic]

With a decent set of rules, mod_security isn't a joke. Who's to say that a nice 0-day won't pop up during that time you've decided to be out of the country? If your site is popular enough, boom, you're exploited before you have a chance to patch. There's a few rules that you can make that are generic enough to stop most basic automated attempts and simple POCs. These could give you enough spare time to patch the required item(s). Don't ever forget that security is an onion concept. Many layers helps, as if someone gets through one, there's another waiting right there. It's like the same reason why cars have seatbelts, airbags and crumple zones. Just one might save you in some instances, but there just might be one day where you're going to need more than just one.

NeoThermic

self-updating

[dr_hooch]

Maybe Wordpress could offer tools to help users better manage updates. Firefox does a great job these days.

Re:self-updating

[Alphager]

Maybe Wordpress could offer tools to help users better manage updates. Firefox does a great job these days. An Application messing up files past my package-management system? Not on my system.

Time for web applications to grow up

[Bogtha]

I think it's about time web applications like WordPress included an update service. Put update notifications into an Atom feed pointing to tarballs incorporating an update script, patches, etc, and label them as security/minor/major. Have the system periodically retrieve them, automatically apply the security updates, and prompt the admin next time he logs in to apply the others.

The only difficulty is that the developers need to have proper release management. No more bundling security fixes into whatever the latest development version is. No more releasing updates that fiddle with styles at the same time as fixing serious bugs. I don't think that's feasible for many web applications, but it's certainly achievable for bigger projects like Wordpress.

I can't think of any web application that does this already off the top of my head. Does anybody know of any projects doing this?

Re:Time for web applications to grow up

[laffer1]

Most applications that do update checks I've used only do so from the administration interface. e107 and jforum both check for updates. (php and java apps) Its possible to do the checks. However, downloading updates means the webapp has to have space to download files automatically. From a security perspective, it seems stupid to add this feature unless the webapp already needs writable space. The update feature could introduce an additional attack vector.

Re:Time for web applications to grow up

[AKAImBatman]

I think it's about time web applications like WordPress included an update service.

It depends on what you mean. Wordpress already tells you when a new version is available. What it doesn't do is automatically install it for you. In the case of PHP apps, this is a good thing. (At least, as far as running a PHP app in the first place can be considered a "good thing".)

Wordpress installations rarely run the vanilla software. Usually the look has been customized by modifying templates and/or plugins have been added to provide new functionality. In order to do either of these tasks, you have to modify the PHP code. Wordpress provides an easy-to-use interface to do this, but it doesn't help anything if you upgrade your system. Your look and customizations will go "poof!" the moment you untar that new version. Thus upgrading is a rather painful process that requires that users backup and reapply all their modifications. That's why no one ever upgrades PHP apps if they can help it. :-/

Re:Time for web applications to grow up

[PCM2]

Wordpress provides an easy-to-use interface to do this, but it doesn't help anything if you upgrade your system. Your look and customizations will go "poof!" the moment you untar that new version.

Actually, this isn't true -- provided you use some common sense about how you customize your Wordpress blog. It doesn't make a lot of sense to go ahead and apply all your customizations to a theme called "default," for example (though I'm sure that lots of people do this). When you go and untar the new version, the "default" theme will be overwritten, as you point out. But if you had taken the time to make a copy of the default theme before you started mucking with it -- into a directory called, I dunno, "mytheme," perhaps -- your theme wouldn't get overwritten by anything in the tarball and your look and customizations would still be there as soon as you upgraded your database.

More of a hassle, I suspect, is that a lot of people run Wordpress on CPanel hosts -- CPanel is a popular server management platform that lets shared hosting customers control their sites without shell access -- and CPanel does not make it particularly easy to upgrade Wordpress. On a lot of hosts I've seen, for example, the function to extract a tarball is configured to never overwrite any files. So far as I can see, the only way to upgrade Wordpress is to rename your current install to a directory called "wordpress-old" or something, then extract the tarball, then copy over all of your modifications by hand using a Web-based file manager. I imagine this is pretty much beyond the capabilities of many Wordpress users. (But then, nobody is forced to maintain their own blog software. I suspect many do it out of a misguided sense of "leet"-ness.)

Re:Time for web applications to grow up

[PCM2]

The default login screen for Wordpress does indeed automatically inform you of new updates. The problem is, it doesn't really seem to explain them properly. If I load it up right now, there's a notice telling me that Wordpress 2.2 was released 9 days ago. If I originally installed Wordpress longer than 9 days ago, this notice should be enough to tip me off that there's a new version available. Nowhere, however, does it explain that the 2.2 release supercedes the 2.1.3 release and that the 2.1.3 release should be considered insecure. In fact, immediately prior to the notice about the 2.2 release is a notice saying that the latest security update to the 2.1.x tree is available. Many people would be willing to upgrade their Wordpress install to get security updates. Fewer, I suspect, would be willing to upgrade to a full point version release just for kicks.

Securing LAMP

[packetmon]

Securing LAMP Mod Security Its so simple a fix with mod_security...

SecFilterSelective REQUEST_URI /admin.php chain
SecFilterSelective REMOTE_ADDR "!^YOUR.IP.ADDRESS$" redirect:http://www.infiltrated.net/sorry.jpg
SecFilterSelective ARG_username YOURUSERNAME chain
SecFilterSelective REMOTE_ADDR "!^YOUR.IP.ADDRESS$" redirect:http://www.infiltrated.net/sorry.jpg

Where your IP address and your username are the only ones to allow anything to the admin page. Anything else gets redirected elsewhere.

Re:Thanks OSS!

[Ynot_82]

Open Source Software - Pointing out gaping-security-holes-that-you-can't-do-much-about -until-the-software-is-updated-in-a-week's-time-by -some-volunteer-on-the-friendly- community-forum-of-said-software you mean that OSS?

Time to upgrade again

[umrguy76]

At least the WordPress site offers easy to follow directions.

http://codex.wordpress.org/Upgrading_WordPress

SQL injection?

[tcopeland]

An article about a Wordpress vulnerability from last month sounded like a SQL injection flaw, and Secunia has a bunch listed here. Mostly DOS and cross-site scripting... plus some "unspecified"...

Wordpress

[wumpus188]

The problem with WP that it is a major pain in the ass to update, especially if you're running somewhat customized installation. Besides, most bloggers are not technical people and just use whatever version someone installed for them (or installed by their provider).

Re:irony?

Is there really a problem if he's running his site on a non-vulnerable version? He's merely pointing out that there are a large number of Wordpress-powered sites out there that are vulnerable. Not ironic in the slightest.

People run old software? Really?

[madsheep]

This will sort of mirror what I've responded with on Full Disclosure. The first issue is that there really are not any details on this "survey" that was done. I am pretty sure I could conduct a survey that had 1000 WordPress blogs where only 1 of them was a vulnerable version. I am not saying there aren't plenty of older/vulnerable versions out there, but I think you get the point. The second issue is that relying on your extraction of a version number does not mean it's actually vulnerable. Patches or other mitigations could be in place.

So if it's news to you that people run old and/or vulnerable software, then this might be something new. Otherwise it's just what I would expect.

Re:Wordpress - a correction

[cweditor]

Just for the record, as far as I can tell, Wordpress 2.2 was not a security fix. It includes new features and addresses bugs, but I looked through the list of tickets closed in the release of 2.2 and did not see that any security issues were addresses by that newest version. 2.1.3 was a security fix, which users were advised to install promptly (and I did)

2.2 fixes bugs I never noticed and new features I didn't immediately need, so I can see why even good blog administrators might have waited to upgrade this one. I'm not sure BlogSecurity is correct to say 2.2 is the only secure version.

For people using Web hosts with control panels and doing installs and upgrades through a control panel like "Fantastico," the latest version they're offering is 2.1.3.

I agree that Wordpress is a bit of a pain to upgrade if you've done customization. I also like to manually back up my databases before I install a new version. The whole process takes about half an hour if I include the downloading, untarring, killing off files manually, and so forth.

I was hacked...

[TheGreatOrangePeel]

As someone who has just recently been hacked (Druapal 5.1, not WordPress, but I almost went that direction) I can say that I've recently seen my fair share of hacked Wordpress sites (via links to/from referrers) that have been listed as 'defaced' with, "Attack Technics : FTP Protokol" listed on the bragging-rights page. In my particular case it was because my hosting service allows anonymous FTP uploads(?!) with no 'correct' way to disable it (???!!!) -- my solution was to allow 0KB of FTP transfer for anonymous users.

For those whishing to see for themselves and laugh/shutter/worry, etc they can do so by clicking here AT THEIR OWN RISK.

So I read this as...

[moore.dustin]

So Wordpress is not secure and its users do not know how or perhaps do not even care to make it secure. That, to me, means that if WP does not change its delivery and security by default, tons of blogs will be compromised. That therefore means the market will be wide open for a service that has a secure code base that can be updated easily.

Good riddance if that is the case. If they cannot adapt to the needs of its users, they deserve what will come to them, though their users do not :(

Re:what about Blogger?

[Cairnarvon]

What? It's not under WP's (or Google's) control if people who run their blogging software themselves don't remember to update often. All WordPress.com blogs are automatically updated to the latest version. This is about people who have a WordPress blog on their own webspace.

This doesn't have anything to do with the WordPress crew sucking at security, just their users.