Slashdot Mirror
WordPress Plugs Bug that Led to Google Indexing Some User Passwords (zdnet.com)
A week after releasing v5.0 major update, WordPress has pushed the first security patch for its popular CMS service. ZDNet: Released hours ago, WordPress version 5.0.1 fixes seven security vulnerabilities (some of which allow site takeover) but also plugs a pretty serious privacy leak. The latter was found by the authors of the popular Yoast SEO plugin, who discovered that in some cases the activation screen for new users could end up being indexed by Google. With specially crafted Google searches, an attacker could find these pages and collect users' email addresses, and in some rare cases, default-generated passwords. This leak could have catastrophic consequences if the user has an admin role or if the user didn't change his default password, as is regularly advised.
WordPress is an open-source content management system licensed under GPLv2, which means that anyone can use or modify the WordPress software for free. A content management system is basically a tool that makes it easy to manage important aspects of your website – like content – without needing to know anything about programming.
The end result is that WordPress makes building a website accessible to anyone – even people who aren’t developers.
Politics; n. : A religion whereby man is god.
"With specially crafted Google searches, an attacker could find these pages and collect users' email addresses, and in some rare cases, default-generated passwords."
Another fabulous win for WordPress. (sigh)
Seriously, if you run WordPress, at least install the WordFence plugin. It's free and prevents a lot of malicious behavior from occurring. I don't know about this specific exploit, but it has stopped a ton of bot-style attacks on the few WP sites I have some responsibility for.
Install WordFence and look at the logs after a day or two- you'll be astounded (and horrified) at the level of malicious activity it catches and stops.
(And in case you're wondering, no, I have no connection or financial interest whatsoever in WordFence, I'm just a fan).
Just cruising through this digital world at 33 1/3 rpm...
This just seems like novice mistakes. Passwords should NEVER be stored. There is never a need to store a password at any time. If it's not stored then there is minimal chance of exposing the password. I think the newbies to programming don't know this, and they think that they have to compare the password typed in to a stored password, which is wrong. The first step is to make a secure hash of the password, and the second step is to clear the password from memory. Of course that's not all you need to do, but if you don't use those two steps then it means the implementer doesn't understand security. If a password is ever in a database then someone has screwed up.
That's great and all but the fact you think you can block Wordpress sites by blocking "all of their domains at the browser level" suggests you have no idea what Wordpress is.
It's a CMS. One of the most popular out there. While there is a Wordpress.com that offers hosted Wordpress services, you don't have to use it, you can install it on your home server, VPS, AWS, whatever you have that runs PHP.
It doesn't do terrible things to users, it does whatever you want it to. You can customize the entire system. The only major issue with it is that it's written in PHP which means that it has bugs, many of which are security bugs. If it was written in C# or Java it wouldn't have anything like as many issues, although it might be less popular.
You are not alone. This is not normal. None of this is normal.