Attacks On WordPress Sites Intensify As Hackers Deface Over 1.5 Million Pages

An anonymous reader writes: "Attacks on WordPress sites using a vulnerability in the REST API, patched in WordPress version 4.7.2, have intensified over the past two days, as attackers have now defaced over 1.5 million pages, spread across 39,000 unique domains," reports BleepingComputer. "Initial attacks using the WordPress REST API flaw were reported on Monday by web security firm Sucuri, who said four groups of attackers defaced over 67,000 pages. The number grew to over 100,000 pages the next day, but according to a report from fellow web security firm WordFence, these numbers have skyrocketed today to over 1.5 million pages, as there are now 20 hacking groups involved in a defacement turf war." Making matters worse, over the weekend Google's Search Console service, formerly known as Google Webmaster, was sending out security alerts to people it shouldn't. Google attempted to send security alerts to all WordPress 4.7.0 and 4.7.1 website owners (vulnerable to the REST API flaw), but some emails reached WordPress 4.7.2 owners. Some of which misinterpreted the email and panicked, fearing their site might lose search engine ranking.

Ugh

...software.

Re:Ugh

Don't worry, a fully autonomous self driving car is just a software problem.

Wordpress the first open source failure... it is t

Another good idea, just another bad execution. im sure folks will place the middleman at fault.

Predictable

That's what you get when you rely on a huge framework/CMS/whatever just to make a blog. You get vulnerabilities in features you'd never use.

The reason I hate WordPress is PHP.

[Larsen+E+Whipsnade]

I could harsh on PHP until the cows come home, but that would be annoying. So I'll just say that this sort of security problem shows that it's impractical to write anything secure in PHP. Why? Mainly because it adds a layer of complexity atop compiled binary, and it adds source code access once a hacker has got past a certain level, and... oh, it's just all kinds of insecure.

Just why did PHP become so popular, anyway? I really don't see the attraction. Now WordPress would be a wonderful thing, if only they'd ditch the PHP. It would be a little harder to customize and extend, but far from impossible. Worst case, we could supply a scripting language ONLY for custom extensions. Basically a macro language. Python's embeddable.

(No, I don't consider a widely used API to be a custom extension. That's part of the core.)

More opinion: in a production system, scripting languages and macros should be only for custom extensions, and never for core code. There should never be scripts BEHIND an API. If WordPress were written in a compiled language and run as a binary, it would be less easy to hack. But not C. Those damn pointer arithmetic exploits...

Re:The reason I hate WordPress is PHP.

[rudy_wayne]

Everything you said is more or less true, but, the bigger problem is that WordPress and many other software packages are written by people who are just plain incompetent and/or stupid. They either don't give two shits about security or are to stupid to figure it out.

Re:The reason I hate WordPress is PHP.

Please show this flaw is specifically caused by PHP itself and not merely bonehead coding or design.

WordPress is often a target because it's so ubiquitous that finding a flaw allows attacks on a very wide audience: biggest bang for the hack-buck.

Re:The reason I hate WordPress is PHP.

"or are to stupid to figure it out"

It's 2. You want to spell it "2 stoopud".

Re:The reason I hate WordPress is PHP.

[marcansoft]

The flaw was specifically made possible by PHP's eagerness to convert malformed strings to best-guess integers instead of raising an error like any sane programming language. You didn't read TFA, did you?

Parent is mostly correct, except where he lumps together all "scripting" languages. This isn't a problem with "scripting" languages, it's a problem with languages like PHP that were designed by people who had no idea what they were doing. Worse, PHP is designed to be deployed in a way that encourages mistakes (PHP files directly in the webroot). PHP security is a game of whack-a-mole where if you forget to whack all the moles in one of your scripts, your site is toast. This wouldn't have happened with a sane scripting language, like Python.

$ php7.1 -r 'echo (int) "123test";'
123
$ python3.5 -c 'print(int("123test"))'
Traceback (most recent call last):
    File "", line 1, in
ValueError: invalid literal for int() with base 10: '123test'

Re:The reason I hate WordPress is PHP.

This is just a troll, bad software design decisions can be made in any language. My biggest gripe is more about blind methodology particularily with the fad of unit testing. Your code can only be as good as your tests. If your tests dont cover your bases even though your code passes your tests it doesnt mean that you have bullet proof software. It just means you are passing your own reality of truth. Which makes writing tests a pointless exercise IMHO. Like asking a blind man if it is day or night. Stop trusting your tests you are only fooling yourself.

Re:The reason I hate WordPress is PHP.

> Just why did PHP become so popular, anyway? I really don't see the attraction.

You've heard the expression, "good, fast, cheap - pick two"?

PHP is fast and cheap.

Re:The reason I hate WordPress is PHP.

The flaw was specifically made possible by PHP's eagerness to convert malformed strings to best-guess integers instead of raising an error like any sane programming language. You didn't read TFA, did you?

Parent is mostly correct, except where he lumps together all "scripting" languages. This isn't a problem with "scripting" languages, it's a problem with languages like PHP that were designed by people who had no idea what they were doing. Worse, PHP is designed to be deployed in a way that encourages mistakes (PHP files directly in the webroot). PHP security is a game of whack-a-mole where if you forget to whack all the moles in one of your scripts, your site is toast. This wouldn't have happened with a sane scripting language, like Python.

Let's compare it with the scripting language that is every geek's favourite right now, shall we?

Javascript:
> parseInt('123test');
123

For some reason, nobody seems to care about JavaScript being full of WTFs; it's the cool language of the day, so we all gotta use it as much as possible. But PHP gets all the geeks up in arms, even though its issues are basically on the same scale.

But both PHP and JavaScript have seen major language overhauls in the last few years; most of the bad features of both have been deprecated. If you're still ranting about PHP it's probably because you haven't actually used it in years, or if you have done, you've been looking at stinking grotty code bases like WordPress. If that's you, do yourself a favour and go learn Joomla instead, because you'll get a completely different picture of PHP.

Re:The reason I hate WordPress is PHP.

[sjames]

Not entirely a troll. Some languages make it easier to have terrible consequences for a minor error than others. Some are more likely to complain and error out when something that looks mistake like happens.

In this case, deciding that int('123test') = 123

Re:The reason I hate WordPress is PHP.

The expectation of PHP's behaviour in your example is clearly documented. Like everything if you RTFM it works as described. If you are coding PHP you would know this behaviour. The consequence in your example is born from a programmer having an expectation that all languages are alike, which they are not. This is a user error not a language problem.

Re:The reason I hate WordPress is PHP.

The expectation of PHP's behaviour in your example is clearly documented. Like everything if you RTFM it works as described. If you are coding PHP you would know this behaviour. The consequence in your example is born from a programmer having an expectation that all languages are alike, which they are not. This is a user error not a language problem.

Re:The reason I hate WordPress is PHP.

[gtall]

I don't agree. A good language keeps you from shooting your foot off even if you are inadvertently aiming at it. How many of PHP arcane rules must a programmer keep in mind? Must s/he constantly use PHP to keep the rules in the head so as not to trip over them. A good example of how to do it right is Haskell. The typing system is a bitch but you won't get away with any inadvertent type casts.

Re:The reason I hate WordPress is PHP.

joomla is just as fucking broken and riddled with security holes as wordpress is.

Re:The reason I hate WordPress is PHP.

Yeah it is much easier to blame the tools, instead of knowing how to use them.

Re:The reason I hate WordPress is PHP.

[marcansoft]

That premise is nonsense. By your definition, there is no stupid design, as long as it is accurately documented.

Just because it's documented doesn't make it not stupid. There is such a thing as the principle of least surprise. PHP almost seems to try to be as surprising as possible, in all the wrong ways.

Re:The reason I hate WordPress is PHP.

Its the same reason English took over as lingua franca, and others before it (Greek, etc). A willingness to get things done in whatever way possible, adopt ideas from the outside, and make a best guess at doing it right. :-) JavaScript is similar in nature. Its just too bad it took so long to get a server side implementation of it being used by the community at large.

While we may have less security holes if we didn't let people learn and experiment with languages like PHP and JavaScript, we also would not have come as far as we have in technology.

Re:The reason I hate WordPress is PHP.

[marcansoft]

Oh, I agree that JavaScript is full of WTFs. Not nearly as many as PHP, but plenty going around. I wouldn't write a web backend in node.js either, even though many people seem to think that's a good idea.

Joomla is just as bad as WordPress. I just spend last weekend cleaning up a compromised server that was running an outdated Joomla version managed by other people. Ended up sandboxing it in a VM to make sure that if it gets pwned again it doesn't start sending spam nor has access to any sensitive information.

Re:The reason I hate WordPress is PHP.

[marcansoft]

PHP was slow as molasses until recently, and cleaning up compromised servers after you get pwned isn't cheap, nor is maintaining a legacy code-rotting PHP codebase, which is what PHP encourages.

PHP became popular because it was easy back when the dynamic web was getting started and people just wanted to write quick hacks. By the time people realized it was a terrible idea we had legions of PHP coders who thought they knew what they were doing, and tons of PHP frameworks evolving from toys to something that was trying to be serious, with the language following a similar path. But the foundation was rotten to the core, and as much as they've tried, nobody has yet managed to fix PHP, nor is it really possible without reinventing, effectively, a whole new language. Even deprecating completely batshit insane ideas like magic_quotes_gpc has taken years of effort.

Meanwhile Python 2 was pretty good, way better than PHP ever was (and probably ever will be), but even then the Python community knew that some things needed to be torn up and redone properly, and thus we got Python 3. Things work differently when the people designing and maintaining a language actually know what they're doing. The Python 2 to 3 transition has been long, but worth it in the long term.

Re:The reason I hate WordPress is PHP.

[marcansoft]

Brainfuck is clearly documented. Heck, it's so simple you can explain it in about two sentences. It is trivial to write a bug-free Brainfuck interpreter. You can even compile it to C.

Does that make Brainfuck a good language to write a website in? No, no it doesn't.

Re:The reason I hate WordPress is PHP.

[dotancohen]

Like everything if you RTFM it works as described. If you are coding PHP you would know this behaviour.

I disagree that most or even many PHP programmers know this issue. A few months ago I demo'ed an exploit in code that a coworker wrote which had the same flaw, this time in comparing MD5 hashes. He had been using PHP for all of his professional career and had no idea how PHP compares strings with leading digits.

Of course, I only knew about the issue because of a similar bug that I wrote, sometime a bit over a decade ago. At that time I had been using PHP for over five years.

So the maxim "know your tools" still stands, but string comparison in PHP _is_ broken in subtle, dangerous ways that most devs will never (knowingly) encounter. I've never seen code that _relies_ on this behaviour, I would love to see it fixed in a major version release. Too bad PHP 7 still carries this flaw.

Re: The reason I hate WordPress is PHP.

Or in PHP's case, knowing not to use it.

Re:The reason I hate WordPress is PHP.

[McD]

IIRC, early php inherited some features from Perl, including logic to convert scalars to numbers I'm guessing.

Perl has the same subtle problem, but at least you'll hear about it if you follow best practice and enable warnings:

$ perl -lwe 'print(int("123test"))'
Argument "123test" isn't numeric in int at -e line 1.
123

Re:The reason I hate WordPress is PHP.

I disagree that most or even many PHP programmers know this issue

I would agree most coders these days don't RTFM.
Now get off my lawn.

Re:The reason I hate WordPress is PHP.

[Wootery]

That's stupid.

Look at the way Java/C# make it impossible to dereference null or exceed array bounds. You can say C programmers are just being clumsy, but look at the consequences: buffer-overrun issues are still a continuing problem... in C programs. Not in Java. Your blame game gets us nowhere. Engineering solutions do.

You really have to give Java/C# some credit: their design categorically eliminates those categories of bugs.

(And yes, they pay a performance cost for this.)

Re:The reason I hate WordPress is PHP.

PHP almost seems to try to be as surprising as possible

Depends on what you are comparing it with, it is all a matter of perspective. So yes there is no "stupid" design if it is done with intention.
You may not like it, it might not suit your mode of operand, but that in itself does not make it stupid, only unsuitable for your needs.
Anyway it is open source, you are welcome to make it behave how you want and roll your own.

Re:The reason I hate WordPress is PHP.

[parkinglot777]

PHP was slow as molasses until recently, and cleaning up compromised servers after you get pwned isn't cheap, nor is maintaining a legacy code-rotting PHP codebase, which is what PHP encourages.

The AC is actually correct. The term good-fast-cheap is usually referred to Project management triangle which is not the same as what you are thinking. It does not really apply to maintenance part. Though, It partially applies to running speed (quality of the product).

Re:The reason I hate WordPress is PHP.

This wouldn't have happened with a sane scripting language, like Python.

They used to say the same thing when PHP was considered the sane language [factoring in the alternatives]. People will be bashing Python just the same some years down the road. Wait and see.

Re:The reason I hate WordPress is PHP.

Like everything if you RTFM it works as described. If you are coding PHP you would know this behaviour.

I disagree that most or even many PHP programmers know this issue. A few months ago I demo'ed an exploit in code that a coworker wrote which had the same flaw, this time in comparing MD5 hashes. He had been using PHP for all of his professional career and had no idea how PHP compares strings with leading digits.

He also didn't know [and neither do you] that you can easily enforce object type in PHP. That would do away with all this whining. Coding requires attention to detail.

Re:The reason I hate WordPress is PHP.

Fast to develop (as in time-to-market), not fast performance.

Re:The reason I hate WordPress is PHP.

[sjames]

It is clearly documented that putting your hand in a spinning saw blade will cause severe injury, but we still have a blade guard.

Re: The reason I hate WordPress is PHP.

Wasn't PHP specifically designed for websites tho? Wasn't using cgi-bin in the past a hassle and had major security flaws, so they wrote PHP to fix these issues?

Re:The reason I hate WordPress is PHP.

And the end result is you are aiming for a deer, but it thinks your aiming for your foot, and you shoot your heart. You were going for less complexity, and wound up adding more to an even less suspecting user in an even more obscure place. A.K.A All you've done is shifted the game of wack a mole from the application programmer to the systems programmer. That systems programmer will now have to define even more complex rules and code to handle multiple possibilities, because if they fail to consider a use case, they will limit the language's native capabilities in a way that may not be desired. That will cause the application programmer to venture away from the safe* code, and straight into the land of obscurity which was the ENTIRE DAMN PRACTICE you wanted to avoid. Oops.

*: Safe in this case being a relative term. The more complex the system is, the harder it is to verify for accuracy. You might make several test cases that pass but the real world will find the bug if it exists once in production. (Complexity is bad, mmkay?) Also I'm just focusing on the issue of trying to avoid problems by having someone else do it for you, obviously other issues can occur that the language can guard against at the application level of development. (System level is a completely different ball of wax. An llvm to protect against bad system level code???? Who writes the llvm again? Oh the system level programmers who wrote the code the llvm protects against..... I think at some point we need to draw the line that defines acceptable levels of ignorance.)

TL;DR No language is perfect and all of them can be abused, but when the language used is made even more complex because of people not wanting to learn to do their job, you will inevitably create a defective product.

Re: The reason I hate WordPress is PHP.

Not declaring your variables isn't natural!!!

Re:The reason I hate WordPress is PHP.

[marcansoft]

String comparison in PHP is broken between two strings. Nothing to do with types. You can't compare two strings with ==, it doesn't work properly (it works most of the time and becomes a security hole when you least expect it). Since clearly you think PHP is the bees' knees and documentation is everything, of course you knew this, right?

Now tell me in what universe it is reasonable for the == operator to be unable to compare two strings correctly.

Re:The reason I hate WordPress is PHP.

[marcansoft]

Except Python is 4 years older than PHP.

Re:The reason I hate WordPress is PHP.

Automatic type conversions are always risky, in any language. C has its share of gotchas in that area too.

Just don't do them. Make every conversion explicit, and don't mix types. Use library functions for that crap.

Once you get over the dynamic typing, coding in PHP is a lot like coding in C.

Re: The reason I hate WordPress is PHP.

[leedsj]

A careless programmer can code an insecure API in any language - was it specific PHP flaws that led to the hack? Blaming the language is like blaming the printing press for vile proganda or pencils and rulers for failed bridges.

Which is why they use PHP?

[Larsen+E+Whipsnade]

Couldn't resist.

I tried WordPress for a while, and I tried some PHP coding. I'm a tad bitter.

every blogger is a NIGGER

black njggers white njggers yellow njggers red njggers brown njggers EVERY BLOGGER IS A NlGGER

niggers are NIGGERS

njggers ARE NlGGERS

Re:niggers are NIGGERS

Is a njgger like a Norwegian nígger?

S-E-Ohno!

When you produce nothing of value, reputation is everything.

Great.

I'm glad I saw this article. I went and patched my WordPress installation to 4.7.2.

Re:Great.

Register it with Google Search Console... the alerts are quite helpful, even if they're somewhat late sometimes

Re:Great.

Me too, I know it's popular for "holyer than thou couch surfers" to bash WordPress and PHP but they are both very useful tools when used correctly.
I've hardened Wordpress as much as possible and turned off features I don't need, I run frequent backups and my host does auto updates/patches on critical updates.

It is inspiring to hear all the great coders comment on /. about how superior and popular the software they write is though, so please continue.

Re:Great.

[marcansoft]

The only secure way to use WordPress is as a static site generator, where the live version is deployed with no dynamic functionality and the administration backend is secured by a layer above WordPress (e.g. HTTP BASIC authentication).

WordPress isn't particularly terrible code, but it is written in a particularly terrible programming language where it's practically impossible to write something secure because things are insecure-by-default and you're expected to defend against all the gotchas explicitly.

Re:Great.

[thegarbz]

Wordpress isn't terrible code, but it is terribly well thought through from a security point of view. Think of it like design decisions in Windows XP which lead to most users logging in as Administrators. Wordpress's killer features are its extensibility. This allows a LOT of crap code to come into Wordpress installations due to no fault of its own.

I remember my own Wordpress site turning into a spammachine. I had the entire administration system locked away to only allow access from a local IP address. I had taken all precautions including removing links to administration, changing the default directories, users, including limits on logins, disabling all features like comment posting etc. In the end the theme I installed had a security hole that was exploited which allowed the attacker to modify the theme's code. The theme itself turned into a spam service and my computer eventually crumbled under the load of sending spam when enough people visited the site.

Re:Great.

[hhas]

You should patch it to /dev/null. It’s the only way to be sure.

Script kiddies

Oh-o, script kiddies found a new tool to play with. Now they are trying to pretend that their tiny little hairless balls are bigger than they are in reality. You get no credit for using a known vulnerability just as your virtual paint spray, biaaatches.

Re:Script kiddies

And yet they trolled you at least.

Re:Script kiddies

What do you mean? I have no wordpress or any other kind of site. I haven't even seen any of these sites. I'm just laughing cause script kiddies think it's cool and brings one street cred or whatever. It doesn't

Re:Wordpress the first open source failure... it i

[Narcocide]

Nope. They won't blame their precious 5$ web hosts. Instead, for some reason I still struggle to grasp, they will instead blame the web coders they didn't hire, who warned them not to use WordPress in the first place, as well as "all versions of PHP itself," regardless of host configuration.

Plea for simplification: static HTML

[xororand]

It is absurd how much computing power is wasted on dynamically generating what is effectively static content, like blogs.
A simple blog should not require an SQL database and complex software stacks that are executed whenever someone visits the site.

Instead, consider using a static website generator like Pelican, or one of the many alternatives.

Write articles and blog posts in a simple, human-readable markup language such as Markdown or ReStructuredText.
Manage your documents in git. Run the generator to recreate the HTML and update Atom/RSS feeds.
The resulting website is blazing fast and can be hosted on dirt cheap servers.

More simplicity on the Internet please.

Re:Plea for simplification: static HTML

Simplicity on the internet only works for intelligent people who understand how the internet works. Stupid people need gigabytes of hand-holding frameworks to accomplish anything.

Ironically, git is too complex for actual gits to use.

Re:Plea for simplification: static HTML

[marcansoft]

This.

The irony is that any WordPress site getting any reasonable amount of traffic is already using WP-Super-Cache... which generates static HTML pages for public content to be served directly from the web server. So they get the worst of both worlds: caching issues and a dynamic backend that is still just as susceptible to exploits as without the cache.

Re:Plea for simplification: static HTML

[thegarbz]

You say this as someone who knows what they are doing. Markdown? Restructured text? Git? You've just gone beyond the expertise of 99% of blog writers out there.

Wordpress's killer feature is not that it dynamically renders content, its that it allows a complete idiot to dynamically generate it.

Remember the alternative? Remember people typing word documents and saving them as HTML files? If you don't provide a dead simple online WYSIWYG editor with instant publish features and without the requirement to install software on a machine, any proposal you come up with is DOA.

Re:Plea for simplification: static HTML

Member Dreamweaver? Member HoTMetaL? Member Netscape Composer? Member FrontPage? Yeah I member.

Re:Plea for simplification: static HTML

Member Chewbacca, mexicans, reagan, marriage. Ooh I member.

Re:Plea for simplification: static HTML

Why can't a dynamic password protected page simply be used to render static content that is served? Why does the damn page have to be dynamically rendered EVERY TIME IT IS LOADED?!

Re:Plea for simplification: static HTML

Yes please! The Internet needs more <blink> tags, and needs a lot more of those 'dancing animal' animated gifs.

As for 'static is best', if you're writing Markdown, it's still got to be rendered for display. Granted, it's a file lookup instead of a SQL query to get the MD, and rendering it is pretty easy, but that's a whole lot more than none. What do we typically use for that rendering? Yep, PHP.

Now, if someone wanted to make a (decent) wysiwyg editor that saved out Markdown, handled inline image uploads and links, and did all of that with a file backend instead of a DB, then we might have a decent, simple CMS. Of course, by then it won't be nearly as simple as we set out to make it, and quite probably a DB would make more sense than the files backend, so we'd swap that out, and then we'd be right back at the start.

FWIW, I have used PicoCMS for a few little sites (with Git backend, push hooks to deploy content, etc). I'd like to move some of my old Drupal stuff to it (mostly as a way to archive them). It's pretty nice, and even though it's 'stupidly simple', the code path from request to response is still pretty long. I will concede that as it has no 'edit' features, that code path is unlikely to result in my site getting defaced. I can't see anyone except a geek wanting to go down this road though.

Re:Plea for simplification: static HTML

[aaarrrgggh]

Yeah... that's what I told my marketing manager. We used to update our 10 web pages once or twice a year, and now it is a $30k annual expenditure with about the same attributable revenue. Joys of WordPress.

But it does look prettier...

Re:Plea for simplification: static HTML

Pepperidge Farm remembers!

Re:Plea for simplification: static HTML

[Voyager529]

It is absurd how much computing power is wasted on dynamically generating what is effectively static content, like blogs.
A simple blog should not require an SQL database and complex software stacks that are executed whenever someone visits the site.

I absolutely agree with this...in theory.

Instead, consider using a static website generator like Pelican, or one of the many alternatives.

Okay, let's do that. Hrmm...not in Softaculous, or the other one-click install options at Godaddy or Hostgator. That's annoying, but it's only one time, so let's check the website...Hrmmm...no 'download' area from the front page...documentation I guess? Great! They have an install instructions area! ...that is full of CLI installation commands and doesn't provide a download link at all for shared hosting environments. Also, while PHP support is near-universal on shared hosting, is Python? Well, we'll assume for a minute that it is and go from there.
Okay, let's head over to the section about installing themes...oh look! *more* CLI stuff! Yes, Pelican assumes that users want to use a CLI to decide how their website appears. When I did look at their themes area, I saw a Github listing. Github. No screenshots, no galleries. A list of files and folders.
Now, writing a blog post should be simple, right? Oh...there's a markdown language I have to use, a series of inline commands for formatting and links and content embedding requires a specific file system? Wait...this was addressed in your statement earlier...

Write articles and blog posts in a simple, human-readable markup language such as Markdown or ReStructuredText.
Manage your documents in git. Run the generator to recreate the HTML and update Atom/RSS feeds.
The resulting website is blazing fast and can be hosted on dirt cheap servers.

More simplicity on the Internet please.

I am pretty sure that you have a different concept of "simple" than 99.9999% of bloggers out there. From a technical level and the amount of data ultimately transferred, no question whatsoever. For someone who can run circles around you with respect to gardening or keeping bees or fashion or a thousand other topics that don't involve software development, the usage here is the absolute furthest thing from "simple". Articles and blog posts are written in English, or whatever the native tongue of the author is. People writing blogs are writing down thoughts and observations for humans, by humans, using languages that facilitate communications between humans. Only on Slashdot does that need to be specified.

Let's compare this with the Wordpress experience:

Wordpress: One-click installation from basically every major shared web hosting provider on the market. Once installed, enter the username and password to the backend. Click 'themes', then 'get themes'. Browse around for hours, finding one that looks the prettiest. Customize it using point-and-click options that are reflected instantly. Many themes automatically handle mobile layouts with zero user intervention. Depending on needs, add a few helpful plug-ins. Don't know what to get? Ask Aunt Google, and there will be no shortage of recommendations! Want to write a blog post? Click add-> post, and you've got a simple-to-use box to type in that automatically saves drafts, looks and works pretty similar to Microsoft Word, has a list of categories on the right for easy filing, and a big "publish" button for when you're done. Did I mention there's a mobile app for real-time posting or that Pelican doesn't seem to have a comments section at all, or that literally everything I've described here has required ZERO command line usage or PHP coding and are all stock functions with zero plugins or extensions required?

Slashdot can piss on Wordpress all it wants, and yes, security/hardening plugins are the first thin

I almost believed in WordPress

[NaCh0]

I subcontract with marketing companies so I work with some aspect of WordPress development on a daily basis. The standard groupthink from WordPress evangelists is that the security problems are behind us -- that WordPress core hasn't had a serious vulnerability in years, core has a review process, blame your out of date installations and inexperienced plugin developers.

For those not in the know, the REST API is something new to wordpress. Developers could get early access thru a plugin, but the API now comes included with WP4.7. There is so much buzz and excitement, even among wordpress people who have no idea what REST really is, few people questioned it because this meant WordPress can now take over the world.

I for one questioned it. When I saw REST enabled in 4.7 without a control to disable it my literal reaction was "Are you FUCKING kidding me???" I have experience in security. I understand attack surfaces. I have seen what a fiasco xmlrpc.php attacks are to wordpress. And these idiots open REST APIs to the internet by default? Jesus fucking Christ, I really don't think Matt Mullenweg or any of the other idiots running the WordPress show have any ability to learn from history.

Sadly, there is no evidence of other CMS's surpassing WP in popularity. You should get used to WordPress continuing to be the sendmail of php apps.

Re:I almost believed in WordPress

[phantomfive]

The problem here is it wasn't deployed in Docker. With a real database like Oracle. The whole thing should be run in the browser to give it an extra layer of containerized security.

Re:I almost believed in WordPress

[drinkypoo]

Drupal is written in PHP and features a REST API yet for "some" reason is compromised something like an order of magnitude less than WP. Oddly, when I was choosing between them, the WP install failed with a cryptic error and the Drupal install worked perfectly. Saved by fate!

Re:I almost believed in WordPress

[trawg]

I subcontract with marketing companies so I work with some aspect of WordPress development on a daily basis.

Doing agency work in the last few years I know my colleagues struggled with the process of managing WordPress within source control. If we built a website for someone based in WordPress we'd deploy it - but then if the customer upgraded it or installed a theme or something it would instantly be out of wack with what was in source control.

Managing the site in source control from there was a bit of a pain as you'd have to download the new version, add new files, commit differences, etc - every time there was a WordPress update.

I would not be surprised if a lot of the compromised sites were in this situation - deployed by agencies who said to their clients "don't worry, we'll keep it up-to-date for you" and deployed from source control without thinking about how to maintain it, and then giving up when they realised it meant regular updates to their dev copy - thus losing all the security advantages of WP's self-updating feature. Or giving up when their clients modified their own site extensively thus making it a real nightmare to merge.

I'm sure there are many good ways of managing this process. WordPress being the "cheap" alternative means a lot of people are getting what they pay for.

Re:I almost believed in WordPress

[hierofalcon]

Drupal does have it's advantages and security is one of them. It's biggest disadvantage is that with every major release the core developers change large chunks of API so any add-on you are using has to be upgraded to a stable condition before you as a website maintainer or developer can move forward. After X major rewrites of their plugin because the Drupal developers decided method Y was now the best way to go, many plugin developers give up - understandably - leaving you with no upgrade path if you were using a particular plugin. There is a lot of debate as to the feature load in core - KISS and make everyone rely on plugin modules or actually make core useful. Drupal would be a really, really good choice if they'd just stop re-inventing the API with each release or make an automated conversion tool that would work with all changes and plugins to at least make a stable working version of the plugin on the day of release. It might be able to be done a better way in the new wonder method Y, but at least it would work.

Re:I almost believed in WordPress

Yes, Drupal 8 was a major change over 7 but before 8 the API stayed relatively stable between versions. I converted Drupal 6 modules to 7 and had to change a dozen lines of code. The benefits of Drupal 8 were definitely worth the trade off and since now a large part of Drupal core is using the Symfony framework will introduce a greater degree of stability.

Re:I almost believed in WordPress

[LifesABeach]

"With a real database like Oracle" That was funny.

Re:I almost believed in WordPress

If we built a website for someone based in WordPress we'd deploy it - but then if the customer upgraded it or installed a theme or something it would instantly be out of wack with what was in source control.

I think I found your problem!

Re:I almost believed in WordPress

[hierofalcon]

Kudos to you. I did a quick survey of most of the checked modules in our site outside core. Drupal 8.0.0 was released November 19, 2015 according to Google and close to 60% of the modules we have in use have no D8 equivalent. A few have something at some stage of development, but nothing at even a alpha or beta release level. Some that do have D8 equivalents are only at alpha or beta stages.

The core developers do Drupal. The plugin developers generally work on drupal modules as a sideline or fun project. I realize that relying on the second tier has this associated cost, but core Drupal without some of the addons really doesn't work in most environments. So making the upgrade easier would be a benefit to everyone (even if the automated solution wasn't optimal). The 5 to 6 and 6 to 7 paths also had very long delays for plugins, so this isn't new. Some were abandoned, sometimes with a different module suggested that may or may not handle the database the same.

Security in core is good. Security in the whole Drupal eco-system has the same risks that WP has when the learning curve takes a new bump every couple of years for people not involved in core development.

Re:I almost believed in WordPress

[phantomfive]

So is thinking that Docker will fix anything with security.

Re:I almost believed in WordPress

[NaCh0]

You should only put the theme and any plugins you wrote under source control. There's no reason to track the parts out of your control.

It also used to be the case that if the auto-updater detected source control on core, it would disable auto-updates.(manual updates initiated from the dashboard still can happen)

Re:I almost believed in WordPress

[LifesABeach]

So you're saying that there is a gun pointed at your head and you must decide weather you use WordPress or suffer for your thoughts? Sad.

Re:I almost believed in WordPress

[phantomfive]

lol I have no idea what you are saying there. The weather is nice, though.

Dynamic content + shoddy plugins + monoculture

[damaki]

And web agencies. You got a genuine recipe for disaster. But that's so much fun, all those cheap websites (my company included) which get defaced and hacked to death on a monthly basis, as it cannot be updated timely because they to need every single exotic and never updated plugins. I had to build a presentational website, 15 years ago, and you know what? I did use a static content generator, which I coded myself as it was dead simple! What's is stupid is that as many people told in replies, most of these sites actually needs zero dynamic content and would do as well with a static site generator. But hell, you got to pull the WordPress buzzword to please the corporate people, cause they need cheap flexibility, and buzzwords.

Re:Wordpress the first open source failure... it i

Wordpress is not the "first" open source failure, it's the rather the most naive open source project that was widely adopted for inappropriate uses (clueless, not security-minded people), hell most WP users don't know how to install Wordpress, they ask someone else, or their "webspace provider" to install it. Thus there are a shittonne of BAD Wordpress installs out there.

The sites I manage, I make a point of telling users that WORDPRESS IS THE PROBLEM, NOT THE SOLUTION. If they want to stop having such a slow site, stop using wordpress and consider something that was actually designed for their use case.

But I guess we're too far gone on this. PHP won the preferred server-sided scripting language war, and wordpress won the "easy to install general purpose CMS" war. Thus people don't even want to consider something more secure.

And no, Ruby or Python are not improvements. They are too hard to install and maintain, and the reason Perl lost it's place in web-site scripting was because it didn't scale. PHP does. But it doesn't scale enough. Nothing does. Unfortunately things that you would do with desktop software to improve performance (eg multithreading and caching) are liabilities with software that communicates with untrusted sources.

Defaced already

The site is already defaced as soon as WordPress is installed.

So what alternatives do you suggest?

[jbarr]

You've established that WP is not the solution. What do you suggest as a solution for less than tech savvy users who want to create good looking, fast, secure web sites?

Re:So what alternatives do you suggest?

[SimplyAuke]

You could try https://simplyedit.io/, disclaimer: I'm one of the authors and it's not (fully) open source. Its a blend between a static site generator and a CMS, as it runs mostly in the browser, not on the server. This means there is very little attack surface on the server. You can very easily write your own server side or connect it to an existing backend.

Re:So what alternatives do you suggest?

[NaCh0]

There's not a great solution, only unperfection options.

They could use a managed website platform like SqureSpace.

Or if they need WordPress, a less than tech savvy user can hire a professional management service like WP Site Care or OnSiteWP.

Re:So what alternatives do you suggest?

[ilsaloving]

If you arn't able to hire someone with two clues to rub together (which is hard and expensive) use something that produces static websites. Unless you are hosting forums or something else that specifically requires code to do the work (like maybe, a comments section), there is zero reason to use a CMS.

In the old days Dreamweaver was The Thing. You can still use it, or various similar tools (eg: Flux on OSX) to create very beautiful but static code-less sites. If you have a lot of content that requires some level of management, there are static site generators (https://staticsitegenerators.net/) available.

If you MUST use a CMS... you're gonna have a hard time cause there are very few that arn't crap... if not for the coding itself, then for the language underneath, like PHP in this case. I personally try to use systems written in more sophisticated languages such as Java, because those languages require a higher minimum level of competency just to get started, so anyone who writes a full blown application in it will be more likely to have written something solid. No guarantees, naturally, but that's the general trend that I've noticed. A risk, of course, is that administration may be more complex as well.

Re:So what alternatives do you suggest?

[parks4life]

I want to know the answer, too. Many organizations use Wordpress because it is free, can do so much, and is a known entity. They can find someone to do big fixes if something breaks. People are expecting great things from their websites and the ability to make changes on their own. It is the ability to make changes on their own that introduces some complexity. My gut tells me that third-party webmasters are dying out (I would love data on that). Yes, I will pay you $X to change the text on the calendar page. Some time ago people started to ask, "How can I do that myself?"

Security through obscurity not so bad?

[bradley13]

We all ridicule people who rely on security-through-obscurity. Incidents like this should make us take another look at that sentence: While we shouldn't rely on obscurity for protection, we shouldn't forget that it does help. Major platforms like WordPress are lucrative targets for hackers, who will spend a lot of energy searching for weaknesses they can exploit.

Using some lesser-known platform, or even rolling your own, makes you a less interesting target. Sure, you may (will!) have other vulnerabilities, but far fewer people will be hunting for them. This is a not-inconsiderable advantage.

Re:Security through obscurity not so bad?

[drinkypoo]

Using some lesser-known platform, or even rolling your own, makes you a less interesting target. Sure, you may (will!) have other vulnerabilities, but far fewer people will be hunting for them. This is a not-inconsiderable advantage.

It's not an advantage since people are going to play all the same attacks against all the sites regardless of what they claim to be running, and since you are not a whole team of people you will almost certainly make several of the same mistakes and get owned anyway. If you don't know what you're doing when it comes to security, you are almost certainly going to do a worse job even than Wordpress, let alone Drupal. (Wordpress has a new major hole every other week; Drupal has only had a few of them total.)

Re:Security through obscurity not so bad?

My client just uses an ancient version of Wordpress that doesn't have the API feature yet - practically unhackable ;-)

Every tool in the toolbox.

Just to preempt this stupid comparison:

Yes, every language has their uses. You use the right tool for the right job, right? Not doing that is just making your life harder. (or you want a challenge for fun)
PHP is that sandwich you forgot to eat a few months back, sitting under Brainfuck, LOLCODE and Malbolge.
Good luck hammering a nail with a mouldy, dusty sandwich.

PHP is fucking disgusting. It's community is toxic and stupid, as are its developers. (that never even knew a basic difference between == and ===)
It needs to die already. There isn't a single language that is as abused as that is, next to C++, which is 2nd worst for horrific practice.
PHP was never good. It will never EVER be good.
Let it rot. Just clear it out of your damn toolbox first!

Re:Every tool in the toolbox.

PHP is open source, yet nobody including you has ever managed to fix/replace it with something better.

Armchair quarterbacking is easy. Put your money where your mouth is, step up, and create something better.

So don't use C++, use C

You CAN write OO code in C, even machine code, and as long as you code it up and know the C rules, you will succeed. However, a deliberately designed OOP language makes writing OO code EASIER.

And, to you, this fact would be "blaming the tools, not the programmer" for not knowing how to write an OO program in a procedural language...

Or that claim of yours is dogmatic tripe used in place of reasoning.

Sometimes your code should be used for the purpose for which it was written for. And PHP was a cobbled simple script put together to make writing your own dynamic web pages easy. Using it in a server environment is like using BASIC (the old school type) to write your server code, or even just DOS commands, rather than PowerShell. One was designed for the task, one was designed for a different use.

PHP wasn't written for massive server webpages and the required security, they were written to be easy to write.

Re:Wordpress the first open source failure... it i

But it doesn't scale enough. Nothing does.

I don't know buddy. I've never had problems with ASP or ColdFusion. Tens of thousands of users at a time, and they work just fine.

That's less than 1.5 percent. No big deal really.

[Qbertino]

Since WordPress runs more than a fourth of the entire web (110+ Million Websites), 1.5 Million infected sites isn't all that much. Yes, WP is a mess and could use a redo, but then most legacy systems could, so what gives? WP is popular, is exposed via port 80 all over the planet and thus is a big fat jucy target. I'm glad Automattic (WordPress Corp.) is alive and well and doesn't try to be anything else than the herald of WordPress and it's (small) business arm and does it's dues by keeping up with patches and fixes.

Which is right?

[Xenna]

Funny how the URL says 15 million and the article says 1.5 million.

https://it.slashdot.org/story/...

Has Slashdot been defaced too?

Re:Which is right?

Funny how the URL says 15 million and the article says 1.5 million.

https://it.slashdot.org/story/...

Has Slashdot been defaced too?

The URL never contains periods. Hence 1.5 becoming 15.

Alternatives?

Compare

Build & deployment time
Features / options
Developer base
Designer base
Design customization
Features / coding customization
Scalability
Portability
Server ubiquity
Ease of set up
Ease of administration
Etc ...

And ..... cost/return for all of the above

LAMP rules. Get over it.

[Qbertino]

The reason I hate WordPress is PHP.

LAMP rules. Get over it. Yes, PHP is awkward (said it myself) and I don't particularly like it that much either. But show me another web PL that does what PHP / LAMP does.
Hello World in PHP is "Hello World." There. Done. Upload a bunch of PHP files on to a LAMP setup, type in the URL in the browser and watch magic happen. No compiling, no appserver to babysit 24/7, no race conditions. Pure simple stupid procedural turing complete web template logic with some nifty utility functions bolted on left right and center, with no order or discipline what-so-ever. But they all work.

LAMP rules, it get's the job done and right now it's also putting money in my pocket. Yes, there are a lot of n00bs and non-programmers doing stuff in PHP and the projects using it have little to no idea how to organise web-dev, let alone a clean model or dev pipeline. And it's really ugly and bizar. But it get's the job done, one hack at a time.

PHP is the language that get's shit done on the web, plain and simple. It's the P in LAMP.
That's why PHP has WordPress, Joomla, Typo3, EZ Publish, Drupal and such and Java has nothing of that magnitude. Go figure.

My 2 cents.

Re:LAMP rules. Get over it.

[LifesABeach]

So how does does one use WordPress and by pass the REST open door?

Re:LAMP rules. Get over it.

Simply by keeping the platform updated. The update rolled out before the public disclosure. As long as you aren't doing any rocket-science on your site, there is zero reason to leave your Auto-Updates off. Zero. Problem solved (in theory).

Secondarily, if WP is your platform of choice -- set a Google Alert for updates to their security page located....
https://wordpress.org/news/category/security/

Instant win.

###############
The arguments against PHP completely disregard the domain in which PHP lives and operates. This is why PHP has its place, regardless of criticisms leveraged by those whom work with tools from alternate domains. There simply is not another form of 'middleware' (for lack of a better term; I hate it) that owns the domain at scale.

Re:LAMP rules. Get over it.

[LifesABeach]

I looked around and found out that just by updating to the current version one could have avoided the visitations.

WP auto-patching should have mitigated this better

[trawg]

So I have five separate personal WordPress sites for testing/hacking/tinkering and casually look after one for a friend. Every single one of mine updated on the day the patch for this problem was fixed.

I got email notifications from each of my sites notifying me they were updated before I heard about the problem. I read the WP blog post about it and thought "shit, that would have been a huge problem if my sites hadn't auto-updated!" and forgot about it completely.

(Incidentally, the next night I had a much, much higher than normal number of brute force login attempts. Not sure if related.)

I'd be very interested to find out why these 1.5m sites did not automatically update. I wonder if they're being manually updated or what the deal is. But if auto-patching worked as it was supposed to this vulnerability would have been mitigated much more quickly.

perhaps ill give the script kiddies more tools

...teehee ill be god of chaos and you can allllll cry for fucking around

Google did this on purpose, of course

>> but some emails reached WordPress 4.7.2 owners. Some of which misinterpreted the email and panicked, fearing their site might lose search engine ranking.

Google: "Splendid! Our evil plan is working exactly as we wanted." [insert maniacal laugh]

/readme.html doesn't show exact WP version

[rklrkl]

Don't rely on /readme.html to show you the exact version any more for a recent WP install. They seem to have knocked off the third field, so versions 4.7, 4.7.1 and 4.7.2 all now say "4.7", which might scare someone into thinking they're still on the vulnerable 4.7.

Of course, you can log into your WP admin interface and find the exact version there, plus it's also present as the $wp_version variable in /wp-includes/version.php if you have access to the Web tree filestore.

Re:WP auto-patching should have mitigated this bet

[rklrkl]

WP auto-updating does have its risks of course - we've seen WP 4.7 introduce this big vulnerability for example (though I believe you can hold back these "major" updates and do them manually). Plus a lot of admins would prefer a scheduled time/day to update - it seems that by default auto-updating is fairly random w.r.t to its scheduling. Plus you'd want to update dev/UAT first before live in case there is breakage. Also, as far I know, WP auto-updating by default doesn't backup the Web tree/DB first and has no easy way to roll back a failed auto-update because of that (so off to tape backups you go whilst the site can often be down).

Still, WP updating whether its manual, scripted or automatic is still a million light years ahead of Umbraco's updating (which usually can't be upgraded between major releases, so many Umbraco sites get stuck on a particular major release for a very long time, even after support has ended).

Re:WP auto-patching should have mitigated this bet

I'd be very interested to find out why these 1.5m sites did not automatically update.

They're probably professional sites that businesses depend on for a revenue stream. Believe it or not, some businesses do depend on WordPress as their CMS. Those businesses have probably learned to disable the auto-updates.

I'm not against using WordPress, certainly not like some other posters here. But I am against allowing WordPress auto-updates. Before any updates are deployed, you need test whether the new version renders your site the same way as before.

WordPress has a history of changing core functionality in a way that breaks major features, and they've been known to introduce entirely new attack surfaces without the ability to turn them off. That last one, by the way, led to a situation which may seem familiar.

Do NOT allow your site to be updated at the whims of the WordPress development team. Their track record does not inspire confidence.

Re:WP auto-patching should have mitigated this bet

[Voyager529]

In my experience, the answer is "custom code and plugins". If you're running a bog standard Wordpress install with Akismet, FormNinja, Gallery, and a handful of the other top-20 plugins, auto-update is just fine and won't bother you at all. If you have a lot of custom layout code, or specialized plugins that are mission critical but not regularly updated, updating Wordpress can break them, thus breaking the website. Yes, it's stupid. Yes, this situation should not be the case. However, you asked thy people don't enable auto-update. That would, in fact, be why.

As an aside, shameless plug for the super awesome Shield Plugin. It's free, and when properly configured, can prevent nearly all of the major forms of automated attack. I've also used iQ Block Country to nix traffic from most of the usual purveyors of such attacks. Not a dev or an investor, just a super happy user of both.

Now, to go one further, Slashdot seems to be back-and-forth regarding mandatory auto-updating. Wordpress has a flaw, and the response is, "why isn't auto-update just how the thing works?". Microsoft implements this with Windows 10, and the response is, "How dare they tell me when I have to update!". Which is it?

Umm, peer review?

[Jason+Hildebrand]

A developer's peers will generally know whether they provide good value or not. When preparing to do a performance review of a developer, ask for feedback about that developer from other developers on the team (and other co-workers they interact with on other teams).

Re:Umm, peer review?

[Jason+Hildebrand]

Duh, sorry. Posted to the wrong story. :(

it’s fuckwits all the way down

[hhas]

Any web software or web developer who seriously uses the phrase “REST API” possesses by definition an understanding of how the web is meant to work that is 100% complete and 100% wrong. And security is 10,000% more difficult to learn and implement correctly than HTTP is, so why anyone still trusts either one to such know-it-all idiots is entirely beyond me.

Re:it’s fuckwits all the way down

[Mats+Svensson]

APi, with a small i ?

Take out their families!

Re:it’s fuckwits all the way down

[hhas]

Seriously, the web is not an "API" at all, it's a distributed data graph: a giant state machine where the only permitted operations are reading state, changing state, and introspection, and data transfers are automatically transcoded to whatever representation is most mutually agreeable to client and server. Everything else—information access, emergent behavior, evolutionary flexibility and robustness—is defined and shaped by a handful of ridiculously simple, totally uniform, interaction rules open and available to all. Everyone can read from the web. Everyone can write to the web. Any document. Any time.

Instead of which, the 2Bn+ humans already online and the 5Bn more to follow are being reduced to mindless unquestioning serfdom at the hands of a few Fortune 100 theocrats and their high priesthood of micromanaging OCD martinets, as our ostensibly Open Web is reshaped into the absolute tyranny of these feudal App kingdoms we now have today. The web we have now is not the web we were all promised; it is what a handful of flaming Dunning-Kruger fools and cold calculating greed merchants have turned it into, the better to serve them not us. These endless streams of "Application security holes" and attendant betrayals of web users' data are merely one of myriad symptoms of a misunderstood misimplementation that is 100% rotten to its core.

But I digress.

To reiterate: "Web Programmers" are just absolute fucking [oxy]morons through and through; so preeningly self-assured in the incredible correctness of their Own Understanding and Grand Achievements they aren't even "Not Even Wrong" any more. Power corrupts, and the web has been corrupted completely. Thus humankind shall not be free until it has personally strangled the last Silicon Valley oligarch with the dripping intestines of its last code monkey intern—a much-overdue shitshow I for one hugely look forward to.:)

Conversion is not validation

[Tablizer]

Value conversion isn't necessarily the same as validation. If you want validation, then use validation operations. Use the right tool for the job.

Holy shit

So far, the vulnerable sites under these new attacks are those running WordPress plugins such as Insert PHP and Exec-PHP, which allow visitors to customize posts by inserting PHP-based code directly into them.

hire the best hackers

thanks to ZEUSHACKERS01@OUTLOOK.COM . My lawyer and I knew nothing about hacking Facebook password or phone hacks. But we needed proofs in court. We liked the way ZEUSHACKERS01@OUTLOOK.COM counselled with us about the process and the way they responded to our needs. In just few hours, we had photos, private messages, names and the password. We are very pleased with their assistance. We have already won our case!They also offer services like hacking mobile devices like your partner's texts and calls,whatsapp hacks, clear criminal records, website hacks, instagram hacks,facebook hacks,recover passwords, emails, iCloud hacks, upgrading school grades and lots of hacking services