Hackers are exploiting older installations of WordPress to distribute blog comment spam and disguise links to malware-contaminated sites. The worm-based attack targets an older version of the popular blog publishing software. Although the worm attempts to hide its tracks, coding errors mean that links on a blog wind up getting …
"if security concerns might one day prompt users to move away from the open source PHP application, whose widespread use makes it a tempting target for hacking attacks."
What a pointless comment, the same could be said about anything:
"if security concerns might one day prompt users to move away from Internet Explorer, whose widespread use makes it a tempting target for hacking attacks."
"if security concerns might one day prompt users to move away from the Microsoft Operating System, whose widespread use makes it a tempting target for hacking attacks."
"If security concerns might one day prompt users to move away from the internet, whose widespread use makes it a tempting target for hacking attacks."
But as yet, few users have been prompted to move to the safer CB radio sets for social networking and communication.
Probably the most exciting thing ever to happen to 99.999999999993% of all blogs
"Applying an update might be a chore"...
Not if you've set up wordpress properly it isn't.
You click the "update" link, and it does it all for you in a few minutes.
(You do take a backup before of course)
I got all excited when people registered on my blog. Thought it was strange that no where do I link to a register page.
Upgrading is NOT a real pain
Later versions of WP and WPMU automatically detect there is a new version available and will prompt you to download it, and if you want will then patch your installation for you. This only affects the standalone downloadable version of WP, it does not affect the main WP hosted blogs.
This bug doesn't affect the current version of WP OR the previous, so you've got to be two releases down to get hit by this security hole.
All software has bugs in it, and if you choose not to upgrade when the developers have TOLD you to upgrade then its not really their fault and pointing fingers at the developers who have fixed the problem before it became a real issue and crying really doesn't help.
Dont forget that WP is FREE - it costs not a single penny, so that makes the whining even worse.
Dare I say it but Scoble admits he's not a sys admin type - so why the hell is he running his own copy of WordPress? Think I'll go to Wickes and buy everything to build a conservatory, and when it falls down because I'm not a builder I'll start moaning about the quality of the product Wickes sold me.
The Devil Rushes in ......
"The Guardian notes that attacks against WordPress are getting more frequent, wondering aloud if security concerns might one day prompt users to move away from the open source PHP application, whose widespread use makes it a tempting target for hacking attacks." ..... Just as long as the Status Quo and Establishment Forces don't think it Hosts Easy Targets for Attack and DDOS, for Some Remotely Hosted are Unarmed and Ruthlessly Efficient in Attacking Defence..... with Sublime Wares and Intangible Tools.
tech blogger Robert Scoble gets hit...
..but not technical enough to keep his software updated....
Re: WordPress self update
The self update feature of WordPress requires that the whole installation be writeable by the account the web server is running under. How is that a good idea?!
One-click pony ...
"Scoble was hit by a similar attack a couple of months ago, and is now considering a switch to different blogging software."
Perhaps Scoble should consider getting a clue. Different blogging software will not help him if he can't even be arsed to keep it up to date. It's not like it's even difficult with Wordpress - it's a one-click exercise that even Paris could manage ...
As for his lack of backups, well - this justifies my determined efforts to ignore Scoble ...
"Among those hit by the latest attack was tech blogger Robert Scoble, who lost two months of blog entries as a result."
Has Robert Scoble not heard of backups?
In defence of PHP
A lot of really crap and insecure code is written in PHP but that's only because so many people read "PHP5 for Idiots in 24 Ickle Baby Steps" and then think that because they understand the syntax, that's all they need to know. It's hardly the language's fault if these books contain multiple chapters on using MySQL and only a passing paragraph or two about SQL injection, for example.
So he didn't upgrade, got hacked. Which part of this is hard to follow?
Didn't backup, lost his work. Which part of this is hard to follow?
The most common reason people say they don't upgrade is that it breaks plugins.
There is a choice, Broken plugin or completely broken site, take your pick.
Security must come before features.
@ Steve Evans
"You click the "update" link, and it does it all for you in a few minutes.
(You do take a backup before of course)"
Well, I clicked UPDATE just like Steve said.
Then I read his instruction to take a backup before but oh noooo too late.......
Now my blog has disappeared and been replaced by an image of Fred Talbot with a Santa Claus beard and a machine gun, holding a placard that says, "Christmas has come early mother f*cker".
This news is all over the place and I can't help but notice that the most significant part of the story is missing. Few blog admins use user registration on comments and you have to deliberately turn that on in order to be eligible for this vulnerability. In other words, most aren't affected, and immunity is only a click away.
original article flawed
The guardian article author is not only technically illiterate, but also seems unable to grasp basic logic.
1) He compares wordpress to windows. ( technical failure )
2) He posits that the frequency of attacks may cause people to say "hey, remember when everyone used Wordpress?". ( logical failure, how many people say "hey, remember when everyone used Windows?)
I'm unsuprised that comments are not enabled on the guardian article, either he got slammed or could see the flames coming.
I am surprised that el reg thought the guardian article was good enough to link to.