Slashdot Mirror

← Back to Stories (view on slashdot.org)

WordPress Now Powers 25% of the Web

Posted by samzenpus on from the taking-over dept.

An anonymous reader writes: According to data from W3Techs one in four websites is now powered by WordPress. According to the report: "WordPress is used by 58.7% of all the websites whose content management system we know. This is 25.0% of all websites.” Venturebeat reports: "Today is a big day for the free and open-source content management system (CMS). To be perfectly clear, the milestone figure doesn't represent a fraction of all websites that have a CMS: WordPress now powers 25 percent of the Web.

4 of 143 comments (clear)

  1. Re:In other news, the web is at least 24% unsecure by xxxJonBoyxxx · · Score: 4, Informative

    >> Is this a problem of WordPress, or just a popular CMS?

    User enumeration is ON by default in WordPress and it's baked into the design. (There are plug-ins to disable it but most people don't use them.) This is pretty unique among LMSs. WordPress's architecture (which allows the use of old plug-ins) also frequently seems to lead to the reintroduction of helper files that have old vulnerabilities, two of which happen to frequently be "directory browsing" or "internal path disclosure". As for keeping old software up-to-date, that's a problem that all LMS's have to deal with, but there's usually enough on these other WordPress-specific issues on a target site to give your average security person a place to dig in.

  2. Re:User enumeration, seriously? by xxxJonBoyxxx · · Score: 4, Informative

    >> What is the actual risk from user enumeration, especially on a site not about a medical condition?

    It can tell you whether or not the default admin user is still present. It can also suggest what some of the other admin accounts are, since they are often the lowest numbered accounts on WordPress. (e.g., if you delete default admin - user #1 - your new admin is often the name of user #2). It's also a lot of fun for social engineering, particularly if you can crack or create a "mere contributor account" and then convince one of the admins (ferreted out through user enumeration) to promote you to an editor.

    (Remember that WordPress user enumeration isn't classic user enumeration, where you can simply tell if a username is in user or not - it's literally the ability to say "give me user #1, 2, 3....100".)

    >> And how can it be prevented? Do you really want to allow two users to have the same username?

    On a system like WordPress, you always tell the user "yep, I just created that account" during user registration but you use the email address already on file for the existing to send an alert to the first registered user saying "hey, someone just tried to recreate your account - was that you"?

    >> If a user sends a private message to a nonexistent user, what error message strikes the best balance between security and usability?

    Most WordPress systems I've seen don't use comments or PMs or any of that overhead - they're mostly single-user (or all admin) systems for "read only" content. In those cases (most cases?) the dial should be set to "no one needs to know the list of usernames on these systems."

  3. Re:No way by Crashmarik · · Score: 4, Informative

    If you parse the post closely you can see it's weasel worded

    "WordPress is used by 58.7% of all the websites whose content management system we know. This is 25.0% of all websites.”

  4. So big and yet... by Jezral · · Score: 3, Informative

    So popular, and yet they still haven't fixed the hugely annoying core issue of emulating magic quotes, even years after PHP itself completely threw out the feature.