Slashdot Mirror
WordPress Now Powers 25% of the Web
An anonymous reader writes: According to data from W3Techs one in four websites is now powered by WordPress. According to the report: "WordPress is used by 58.7% of all the websites whose content management system we know. This is 25.0% of all websites.” Venturebeat reports: "Today is a big day for the free and open-source content management system (CMS). To be perfectly clear, the milestone figure doesn't represent a fraction of all websites that have a CMS: WordPress now powers 25 percent of the Web.
About 95% of the WordPress sites I've run across have allowed user enumeration, exposed internal paths, or had old software that could be exploited. So...I'd probably say that "25% of all websites are WordPress" really means "at least 24% of all websites are insecure".
then 25% of the web is very very very fragile and insecure...
is nigh. This is a sign
Is this a problem of WordPress, or just a popular CMS? If the admins aren't doing their job for WordPress, why would they start doing it for some other package?
I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.
According to the linked report, 57.4% of websites aren't using a CMS at all. So Wordpress is a distant second to "None".
#DeleteChrome
v 4.97.3 - better support than ubuntu.
What is the actual risk from user enumeration, especially on a site not about a medical condition?
And how can it be prevented? Do you really want to allow two users to have the same username? If a user sends a private message to a nonexistent user, what error message strikes the best balance between security and usability?
I know those made it in there because they were picked up in in the generator meta tag at the site root. That doesn't feel like a great methodology to me, honestly.
It's a shame that ignorant designers and pseudo-developers have tricked so many hapless clients into running WordPress because it's easy. "Easy" here actually means that through a celestial confluence of bad architecture, poor development practice, and sly marketing, a third party market for themes sprang into being, with an horde of add-ons written by neophytes who aspire to writing code only as bad as the WP core, their sole source of PHP practices.
But that's not all. The majority of that monumental-seeming 25% wasn't set up by Joe Hipster for his easily enamored "e-commerce" clients. No, they're deployed via script by phishers and other scammers.
Its ease of use is second to none and that does matter. It also makes sense, sadly, that its plugin repo is now full of freemium. There's clearly a large market but I hope that the genuinely free and quality plugins will remain. Without them, this number wouldn't be.
Shocking!!!!
https://nakedsecurity.sophos.com/2013/09/27/how-to-avoid-being-one-of-the-73-of-wordpress-sites-vulnerable-to-attack/
http://www.pcworld.com/article/2919812/attackers-exploit-vulnerabilities-in-two-wordpress-plugins.html
>> Is this a problem of WordPress, or just a popular CMS?
User enumeration is ON by default in WordPress and it's baked into the design. (There are plug-ins to disable it but most people don't use them.) This is pretty unique among LMSs. WordPress's architecture (which allows the use of old plug-ins) also frequently seems to lead to the reintroduction of helper files that have old vulnerabilities, two of which happen to frequently be "directory browsing" or "internal path disclosure". As for keeping old software up-to-date, that's a problem that all LMS's have to deal with, but there's usually enough on these other WordPress-specific issues on a target site to give your average security person a place to dig in.
Like
Plus, it's a better love story than Twilight!
"WordPress Now Powers 25% of the Web"
Sorry, I ain't buying it. Yes, there are a lot of WordPress sites out there, but 1 in every 4 is a WordPress site?
I call bullshit.
Just cruising through this digital world at 33 1/3 rpm...
And I would rephrase it.......25% of websites are absolutely insecure, and 24% are trivially insecure.* Let's be honest, a fully patched and configured WordPress site just means an attacker has to work a little harder to find a vulnerability.
*Not exclusive....a good portion of the other 75% of websites likely have problems, too.
"First they came for the slanderers and i said nothing."
1 in 4 sites is hackable and exploitable, run by clueless idiots that think they know what they're doing, or don't realize they *should* be doing something besides running the install script and making content pages, or both (most likely).. lets throw in joomla, another easy target, and call it 1 in 3? hackers delight, for sure.
considering how many wordpress sites are insecure, unpatched and poorly configured I find this news scary not exciting, especially with how readily available exploits for it are.
Because other CMS are complete. Wordpress relies on everything to be a plugin. Upgrade your wordpress, break the plugins your site depends on. Even if they don't break right away, there are lots of small problems that can happen later, or only under certain circumstances. Been there, done that.
Wordpress isn't a CMS for actual people to use. It's a pre-hacked system for people who like tinkering with systems. You want an actual CMS, go elsewhere, and I'm not talking about rival free software platforms.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
So 25% of all websites will be hacked within a week. Yay. Good job. You ran a shitty blog CMS as a website. You got what you deserved!
I've suffered through development on Drupal, and Typo3. Where to begin. Poor/just-plain-wrong/outdated/incomplete documentation. Painfully poor design. There are reasons why Wordpress is winning here. I spent about a year re-writing my own copy of a Drupal book (because even though it was newly released, about 90% of it was WRONG!). An API which was between 6 and 18 months out of date. Code that just didn't work (its fun fixing code when you are just learning what you need to do). Oh, I'm skilled enough to get everything working, but the code was quite different. And the online documentation was really awful too. "Learn to code drupal!" isn't an answer, its an excuse, and a bad one. I've written software in a dozen other languages, I've worked with many other API's, and Drupal is sukky at best. Where other API's get out of your way, Drupal insists that you do 90% minutae, to get 10% that you want, but they go out of their way to make it as painful as possible. And there are limitations. I ran into places where you couldn't change parts of it (and since no one else was trying to change parts of it the way I wanted to, no one could offer assistance except for those who offered "just make you site like everyone elses". I've studied the hazards of sql injection, cross site scripting, cookie poisoning, cookie forgery, buffer overflows, clickjacking, clearjacking, cross site request forgery, phishing and spearphishing. You can make Wordpress sites secure, its not that hard. But you have to have something that does what you want, otherwise a lot of the purpose of the site is either unfulfilled or just useless. Wordpress allows you to do what you want, in a straightforward sane way. No stupid hacks, warnings by people "Oh, I wouldn't do that" followed by your reply "is there any other way?" and their reply "no". So some are complaining. They are trying (unsuccessfully) to create CMS's as useful as Wordpress.
At least wordpress has a built-in easy updater. Look at something like zencart in comparison (poor choice for comparison I know, it's just one I know) -- there is basically no way to update it. You need to do a clean install of the files, then manually re-apply all customizations.
One could arguably call Dreamweaver a "static CMS". It has templates and other do-dads for formatting reuse, and has FTP sync-up management.
Table-ized A.I.
I had no idea there were that many blogs that nobody reads.
Yes, but then you won't get all the "cool" hipsters to work on it. NodeJS has a rocket science mystique about it that attracts pioneers and fools alike. I won't comment on what I really think of the technology, but rather address it as a social phenomenon. Getting work done and being "where it's at" may not be the same thing.
Table-ized A.I.
It's a goldmine for those of us who work in security and fixing hacked WordPress websites.
95% of all web-related software is custom web-apps behind passwords and other security mechanisms. .. so its actually more like 25% of 5% (the public web) resulting in 1.25% of all web-applications.
Wordpress is incredibly easy to set up. I know someone who's computer skills extend to word, excel and a tiny bit of Photoshop who has a domain and wordpress based blog.
With that kind of low barrier to entry it stands to reason that people will have no idea about security. Some people will say the fault is with wordpress but the reality is wordpress can be setup securly and I'm willing to bet that if it were any other CMS we were talking about the results would be the same.
Yes, but then you won't get all the "cool" hipsters to work on it. NodeJS has a rocket science mystique about it that attracts pioneers and fools alike. I won't comment on what I really think of the technology, but rather address it as a social phenomenon
Web programming (maybe more than any other area of programming?) goes through trends where one technology then another is hip and cool. It's like butterflies on crack or something.
I think the reason it happens in web programming especially is because there is no good answer. If you want to do embedded programming, then C/C++ are a good answers. If you want to do corporate software, then Java and C# work decently. But for the web, there's not really a good way to build web pages. HTML/CSS are kind of a pain, with incompatibilities abounding. For Javascript, you have to look for the good parts before you see them. Because they are poor tools, it's easy to create a system that appears to be better (not so easy to build one that is actually better, of course).
"First they came for the slanderers and i said nothing."
So popular, and yet they still haven't fixed the hugely annoying core issue of emulating magic quotes, even years after PHP itself completely threw out the feature.
and now we know why the NSA and criminal organizations have pretty much free reign on accessing whatever data they want...
Sleep your way to a whiter smile...date a dentist!
sure they are content management systems. they're used to manage content for millions of websites, even for the governments. the content is created, edited and generated from them and in some cases automatically uploaded.. just because they suck doesn't mean that they're not content management systems.
\\"A content management system (CMS)[1][2][3] is a computer application that allows publishing, editing and modifying content, organizing, deleting as well as maintenance from a central interface.[4] Such systems of content management provide procedures to manage workflow in a collaborative environment.[5] These procedures can be manual steps or an automated cascade. CMSs have been available since the late 1990s."
world was created 5 seconds before this post as it is.
Every time something becomes too dominant, we should not celebrate, we should worry. Doesn't matter if it's Windows, or IE or Oracle or the iPhone or Apache - we need competition to move and innovate.
In the CMS world, there is fierce competition, fortunately, but there are also high barriers already. A new CMS system will not be used in many commercial projects, no matter the merits, because the customers know a few big ones and if you don't drop their names, your pitch is out.
Almost 60% is quite terrible, especially with a project that has always had serious security issues.
Assorted stuff I do sometimes: Lemuria.org
"To be perfectly clear, the milestone figure doesn't represent a fraction of all websites that have a CMS: WordPress now powers 25 percent of the Web."
WordPress is good.
Ok, stop laughing and hear me out.
We all know that with all the shitty web-cmses out there, the ones built on LAMP (PHP) are the oldest that actually have a finished and working feature set.
Show me one non-PHP CMS with the featureset of WP, Joomla, Drupal, EZ Publish or Typo 3, closed source or FOSS. You won't find any.
PHP and the CMSes built with it are at least ten years ahead of the game in the market they were built for - that's a simple fact that no one can deny.
And of those, the mess called WP is actually the best that fits every mold.
- It's primarly a blogging engine - which is what most people want and need anyway. ... and so forth ...
- It takes about 3 clicks and ten seconds to move it away from the blogging perspective to a regular web CMS.
- It's dead simple to install.
- It uses the hook model (also found in Drupal) to implement features that can be applied flexibly. And while that principle is questionable at best - especially from a performance standpoint - there is no doubt that it is *very* easy to use to implement custom features and setups.
- The documentation actually exisits and is pretty good.
- The community is massive. It's basically an army of tinkerers fiddling away at extensions and plugins.
- It has an official full blown mobile management app downloadable for free.
- It has a large, semi-post-capitalistic hip company baking it and it's development. (They all work remote, from around the planet and put their money where their mouths are.)
- There are popular WP plugins built by people who can't programm - but they work (sort of) and are installed/activated/deactivated/uninstalled within seconds.
- The architecture is a bizar convoluted shoddy mess. But you can start tinkering with it within minutes and won't feel bad about it - because, hey, guess what, it's a mess already.
- Modifying templates and themes in a non-destuctive update-safe manner is dead simple.
In an nutshell:
WordPress is PHPs philosophy carried 1on1 into the application/CMS layer.
That is why it's so successful.
And rightfully so.
We suffer more in our imagination than in reality. - Seneca
Is this a problem of WordPress, or just a popular CMS?
Drupal is also hugely popular, to the extent that it's actually a government favorite, and yet it doesn't have the same kind of holes as WordPress. That's not to say that it's wholly secure; there's advisories for Drupal all the time. But I think also that a different kind of user installs Drupal, one who actually knows their way around a line of code here and there, and one who will keep up with their updates. Even though WP has automatic updates and Drupal doesn't, WP gets exploited far more... even per capita, AFAICT.
If the admins aren't doing their job for WordPress, why would they start doing it for some other package?
WP is worse by design so the holes are bigger.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
As someone who had to dig deep into WordPress codebase at some low point in life... there's little admins can do about it.
Besides, one of the strong selling points of WordPress is its engine for supporting plugins, which is itself a vast ecosystem. In other words, it allows you to run the most terrible pile of code you could ever encounter on the Internet.
sure they are content management systems. they're used to manage content for millions of websites, even for the governments. the content is created, edited and generated from them and in some cases automatically uploaded.. just because they suck doesn't mean that they're not content management systems.
\\"A content management system (CMS)[1][2][3] is a computer application that allows publishing, editing and modifying content, organizing, deleting as well as maintenance from a central interface.[4] Such systems of content management provide procedures to manage workflow in a collaborative environment.[5] These procedures can be manual steps or an automated cascade. CMSs have been available since the late 1990s."
I'd call them CMMS's. Content Mis-Management Systems.
They lack the fundamental feature of the subject matter though, a database back end with a front end script letting the editors or others make changes with a browser. Regardless of whatever website's definition of it, the core of what people mean by "CMS" is a database and a scripting language running things, and a browser to edit.
In that sense, only SharePoint counts and that's a many generations later offshoot used with FrontPage sometimes. DreamWeaver doesn't count. IF those tools are used they are to manage the template on top of the script, and not the scripting, and not the database.
This is a problem with mono-culture. With diversity, the impact of a replicating worm is a lot smaller.
Well, not to leave Drupal out too much, it did have https://www.drupal.org/SA-CORE....
Is this a problem of WordPress, or just a popular CMS? If the admins aren't doing their job for WordPress, why would they start doing it for some other package?
Because for most websites, I've got to pentest from tens of IP addresses to find your vulnerabilities. There is a minimum bar for cracking your site. But if you're running Wordpress I can look at your meta tags and know wxactly which exploits will work and what I will get out of them. Even better, I can use DuckDuckGo to find your site and tens of thousands like it, all with doors wide open.
The difference between Wordpress and a well-built site is the difference between the corner prostitute and Melinda Gates. Somebody will be fucking both of them, but one is available for all to come and do as they please, while the other requires just the right special touch and quite a bit of luck and patience.
It is dangerous to be right when the government is wrong.
Well, not to leave Drupal out too much, it did have https://www.drupal.org/SA-CORE....
Oh yeah, it's deeply embarrassing when your framework intended to stop SQL injection has a SQL injection hole in it. But it's not quite as embarrassing as being a constant source of infection to the rest of the interwebs because you're so supremely easy to exploit as WP. It also got fixed quite promptly...
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Most people who view websites don't even know what Wordpress is.
I have created websites and did not even know what Wordpress is. I'd heard of it, and just assumed it was some Windows shit.
At the end of the day, it's all about content. Are you writing and uploading content? Formatting the paragraphs and adjusting images? Content providers hate Drupal because it's cumbersome. Sure, you can help them upload, by try doing it at a place with 1,000 people where there's roughly 50 new content on a daily basis. And imagine them calling about "how come the published page doesn't look like the preview?"
A website without content is useless. A website with a broken code can still deliver. Virtually all hardware and software these days are shipped with bugs or malformed functions. I believe WordPress falls within this tolerance these days. Drupal may be easier for IT, just as vi is better than Word, but in the end it's about the user.
I don't know much about wordpress, but I've seen it embedded in enough websites that I've simply marked it as distrusted and blocked it.
I don't much care what it is, but by the time I started seeing it in a notable fraction of web sites I just assumed it was ads, analytics, or otherwise a privacy/security issue.
If it's in 25% of sites it has FAR too much presence to trust it; it's like double click at that point.
... about software like Wordpress are the ones who produce the fewest viable alternatives. They just like hearing themselves talk.
At least 24% of web content and likely much more is totally useless navel gazing.
Yes, it is better that your plugins contain the sql-injection attacks so the core doesn't have to deal with them.
I am not kidding.
Total bollocks
If you gave me a choice between a printer and a giraffe with explosive diarrhoea, i'll get my ladder and my raincoat
Pleases try to use words for their correct meanings.
"Git 'R Dun!" and secure are pretty much mutually exclusive. Especially when based off PHP, JavaScript, Python or Ruby.
Why we can consider the internet a 'Target Rich Environment'
Just my opinion, but I think the reason for it has a lot to do with the fact that Google changed PageRank to increase visibility of sites that recognize mobile browsers and render accordingly. Getting that to work well is non-trivial, and WordPress makes it easy for the non-technical. For the part of the web where you just want to throw something up and have it render correctly in all browsers and don't want to spend a lot of time on it, you're going to use a CMS like WordPress. I think WordPress is probably going to end up being a vital part of web infrastructure a lot quicker than anyone really expected.
Node.js is about one thing, getting cheap front end developers to do backend programming. It doesn't teach them about databases, algorithms, security or design though. JavaScript is a pain to debug so pushing it into the backend was utter stupidity.
If you look at the code quality of many node modules, you'll cry. JavaScript developers don't understand backward compatibility. Try using a yeoman install sometime and see what I mean.
The correct understanding is that like Linux/GNU software suite, it is written by developers for fellow developers.
Every security problem in Linux, Apache, Wordpress, et. al. can be directly traced to default configuration and design choices catering to software development and prototyping instead of production use.
Wow. I think this is way out there
I am an experienced web developer who has worked with both PHP, ASP, ASP.NET and ASP.NET MVC.
In my opinion PHP is very powerful and I enjoy working with it because of how flexible it is but it has a lot of legacy baggage it must carry for the forseeable future but I don't believe PHP in itself is bad as people paint it but rather it's the inexperienced and the incompetent that give PHP its bad name because they don't write or setup their scripts with security in mind so you end up with all these PHP sites with security holes big enough to fly a 747 jumbo jet through.
Well, I don't consider ASP.NET to be particularly great for web programming either lol
"First they came for the slanderers and i said nothing."
give me user #1
Then we've found the real WTF: sequential assignment of user IDs. Instead of relying on MySQL AUTO_INCREMENT, it should be using random_int(0, 999999999) or the like.
On a system like WordPress, you always tell the user "yep, I just created that account" during user registration but you use the email address already on file for the existing to send an alert to the first registered user saying "hey, someone just tried to recreate your account - was that you"?
Consider the following cases:
In each case, what should be displayed, and what mail should be sent? In the second case, sending mail only to Staisy and not to the attacker would indicate to the attacker that the name staisy is in use. And in the third case, sending mail only to Staisy and not to the image board members would flood her inbox.
Or would it be a better idea to shun usernames entirely, instead relying on the e-mail address as the sole primary key to uniquely identify an author of an article or comment? As far as I can tell, that would imply displaying that e-mail address to the world, including spambots that scrape web sites.
Most WordPress systems I've seen don't use comments
If that's true, that might be what I'm missing. I tend to associate the WordPress brand with blogs that have comment sections.
Maybe you haven't been here that long. It's an evolving copy-paste. It's been around for years now and is probably pretty well established as part of Slashdot's troll culture.
They used to not have one, until they got such a terrible reputation for security and everyone found out about multiple high level vulnerabilities. Of course, multiple security flaws have been found in the updater as well. Just goes to show, it is really hard to staple on security and features after the fact; they need to be written in from the start.
Additionally, part of the problem is the reliance on PHP, which also has multiple vulnerabilities and depreciated insecure methods you can still use if you aren't up with what the secure one is or copy+paste old code off of stack exchange or the like.
The problem is that black hats and the NSA also know this and will be concentrating on wordpress vulnerabilities. Any 0-day vulnerability in wordpress would be devastating.
--
Time is on my side
PHP isn't as bad as you think it is. It's like most other C-derived languages. Yes, you can write a straight PHP script, with bad security practices, no classes, with insecure and badly-written SQL expressions, and get pwned as soon as you point Apache to it. At this point that's actually harder than using a framework and proper practices. Why would you hand-roll input validation, an ORM, or user authentication/authorization if you didn't have to?
That said, Wordpress is the worst piece of common software in existence, and looking at its code or database schema makes me want to stab my eyes out.
it's not all about content, and when you get owned, many lulz will be had.
If your CMS requires a competent admin to be secure, it has no business marketing itself as a turnkey solution.
Your ad here. Ask me how!
If you have a billion possible user IDs, but only a thousand correspond to users with commenting privileges and only ten correspond to accounts with anything near administrator-level access, an automated online process will have a heck of a time getting through whatever throttling you've already put in place.
You could call Dreamweaver a polished turd and you'd also be correct.
So how was she? All the time and patience worth it?
Well, being a PT and being a static-file CMS are not necessarily mutually exclusive, especially since the CMS field is full of PT's, and Un-PT's.
Table-ized A.I.
So how was she? All the time and patience worth it?
Ask Bill. He always gets the girl!
It is dangerous to be right when the government is wrong.
Everywhere I've seen use WordPress use it like frontpage. If FP isn't a CMS, then neither is WordPress for most uses.
It'd be like buying salesforce.com to use as a shared calendar. It's not bad as a shared calendar. But it's too hard to set up and too expensive for that, so most people who bother to get it would also use the (assumed) CRM functions. But if someone didn't use a single CRM in a CRM, is it still a CRM?
The same thing applies to WP. The smaller company sites I see using it use it because that's what their web admin requires for content generation because it's easier to adminstrate (often farming out the actual web site admin to a 3rd party, while generating content in-house - the old analogy being the in-house would use Front Page, and email the page to the web admin, who would admin the server and upload pages to it).
Stupid, I'd agree. But common, from what I've seen.
Learn to love Alaska
You forgot to link to the Fractal of Bad Design diatribe.
WordPress has just released that they are changing their name to Skynet.
Troll is not a replacement for I disagree.
I'm honestly not trying to make fun of you, but if your points of comparison are various ASP versions, then PHP probably does really look great.
A few years ago, I started a solo project mostly for my own use and thought "I'll use PHP, even though it's shit. Really, it's just /usually/ shitty because it CAN be shitty, not because it /must/ be shitty. I'll do it /right/."
Well, I'll tell you, after writing the entire thing and running it in production for a few years, I'm re-writing it in Java, just like I should have done initially (I could have used .NET or whatever, too... Java is just my wheelhouse). PHP really is just shit: proper software simply can't really be written in it.
If you want a guestbook, PHP is your tech. "We want to hear from you" email-style form? PHP is great. But if you want a maintainable, robust piece of software that will grow over time, save yourself a lot of headache and leave PHP alone.
It just boggles my mind that big sites still use PHP. Does fb still use PHP? I'm not a fb user and I don't even care to check. I know all their real backend stuff (where the money is made) is all Java-based, but I think their fb dot com UI is (or was) all done in PHP. It makes me feel awful for their poor programmers.
In this case, it's wordpress the software, not wordpress the blog host. Same shit, difficult to recognize.
I've always thought that automatic updates done via the UI are mostly a bad thing. In most cases, that would mean that the system user handling web requests would need permission to modify all of those core files, which sounds scary to me. I know I have seen people with Drupal installations where they install Drush on the side to do auto-updates via cron as a secure user who owns the Drupal core files.
Maybe one could set up a module which allowed sending a whitelist of commands to drush from the UI so that updates could be handled securely? This is just a random half-baked thought on my part; and maybe they already do something like this, I only have limited set of experience with Drupal myself.