P0wned plug-in puts a million WordPress sites at risk of attack

Re: Fundamental problems

Similar issues here - we won't let Marketing maintain and run their own Wordpress server, and they refuse to allow us to maintain and run it, as they then can't just whack any plugin they fancy on it.

The impasse was solved by them buying (at outrageous prices) hosted wordpress that we have nothing to do with. It's going to blow up at some point, guaranteed, but it won't be on our servers, in our network and with our data.

Re: Fundamental problems

"Basic Wordpress is quite neat, but seriously dangerous in the hands of amateurs (i.e. 99% of Wordpress users)."

Something I'm seeing more and more of is friends who have no concept of email security (and have a track record of falling for social engineering attacks) going on to new adventures like making amateur websites using free website builders. I always approach these with "shields up." When I go to these sites and NoScript blocks everything, I then have to explain to them what "whitelisting" means and why I'm not going to do it.

In two cases, their websites were being flagged by Google as "possibly compromised" and they couldn't figure out why. When I checked them out (again, with "shields up"), I saw that they had been hit with the "WordPress Pharma Hack"--not to mention one site having a virus in some of the crap that NoScript was blocking. One site was later rebuilt from scratch using a different builder; the other was taken down and never replaced.

Re: Asking the big questions.....

It's similar to microsoft windows if that's what you mean. Hackers write malware for windows because most people run it (plus it tends to be more vulnerable than OSs with stricter permissions models) Hackers attack wordpress because lots of people install it on their website (plus it tends to be more vulnerable having a php enabled webserver and the ability to write to the filesystem for plugins and themes)