back to article 'Legacy' Wordpress blog site of The Independent serving malware

The Independent has become the latest big-name publisher to serve malware. Trend Micro is warning that the UK news site's Wordpress-based blog section has been compromised. The company says the attack seems to have begun on November 21, with a compromised page serving the Angler exploit kit, taking advantage of visitors with …

  1. oldtaku
    FAIL

    Oh good lord. Having a Wordpress site is setting up a gigantic HACKMEEEEEEEEEE sign. Any competent IT person should know that. It's a gigantic complex PHP thing, so it's going to be insecure, and it has tons of plugins which are even more insecure (most hacks are via plugins and themes).

    And most of all it is very strongly targeted. The WP PHP code isn't any worse than normal PHP code (it's better), but bad guys keep lists of known WP sites, and as soon as a zero-day is discovered, they hit them. You've got no time to react.

    You have to be willing to actively to monitor it constantly or you should just shut it down. Facebook and other big places that use PHP go for the monitor it constantly route, but if you're not willing to dedicate the manpower to it, SHUT IT DOWN or move to something else.

    1. Anonymous Coward
      Facepalm

      Yes, because the security of DIY solutions cannot be underrated.

      1. wolfetone Silver badge

        Fully agree. If you can't be bothered to monitor or check up on your WordPress install then you really should just serve static HTML pages and update them via FTP. You know, the old way.

    2. Anonymous Coward
      Anonymous Coward

      Oh good lord. Having a Wordpress site is setting up a gigantic HACKMEEEEEEEEEE sign. Any competent IT person should know that. It's a gigantic complex PHP thing, so it's going to be insecure, and it has tons of plugins which are even more insecure (most hacks are via plugins and themes).

      Bollocks. A WP site is just like any other IT project: install only what you need and not more (plugins as well as themes), and pay attention to the rather good security advice out there. It starts with a good ISP so you don't have a platform weakness (it's still an OS plus webserver stack before you get to WP), then install All In One Wordpress Security and Firewall which gives you a guided tour past all the things you can do to lock it down (and, IMHO very important, explains why), and if you install a plugin that uses Google Authenticator timed passwords you only need to make sure you keep up to date with patching.

      And even that can be automated.

      It's really not that hard. The hardest work is blacklisting the networks that seem to specialise in supporting script kiddies. I seem to get a lot from OVH these days. On some websites I've installed IQ Block Country and banned the usual suspects (China, Anonymous Proxy, Russia, Ukraine) as that turned out easier than blocking one IP range after another.

      As for looking up IP addresses, I have found WhatIsMyIPaddress.com very helpful. I don't run my webserver myself or I would have added fail2ban to the defences, but I use an ISP that runs most of its platform on BSD which seems to be enough to confuse most script kiddies already :). As I refuse to serve advertising (despite many, many "get rich quick" prompts from various parties) I'm also not worried about becoming a malware server to others.

      And for the rest I run Joomla :).

  2. Anonymous Coward
    Anonymous Coward

    Lesson One

    ..close your old site down, or patch them as if live.

    Anon as I recently had to point out one of our website was serving malware and the team responsible (yes marketing) looked at me with glazed eyes and said, but we don't use that one anymore.

  3. Absent

    Independent mobile site

    I've stopped visiting the Independent on my phone due to its autoplaying video adverts pausing audio apps and its auto refreshing homepage reloading before I've got to the bottom. It's just too annoyingly designed.

    1. Anonymous Coward
      Anonymous Coward

      Re: Independent mobile site

      Yeah, same here. It's maybe the worst news site I visit - I get video ads you can't even find a "close (X)" button for.

      Puts me right off. The Guardian has its flaws, but their site, and even mobile app, is pretty good.

      Adverts should NOT interrupt the reading experience and autoplaying videos is a rude no-no, be it content or ads.

    2. Davidcro

      Re: Independent mobile site

      I've stopped visiting The Register on my phone due to the autoplaying video adds. Thank you Huawei Spain.

      1. Anonymous Coward
        Anonymous Coward

        Re: Independent mobile site

        I've stopped visiting The Register on my phone due to the autoplaying video adds. Thank you Huawei Spain.

        I've stopped visit the BBC news website due to their *seriously* nauseating Microsoft ads on all videos (whoever did that voiceover can not even be fixed with a massive dose of laryngitis and a months' worth of smoking and hard drinking, let alone that it's about Microsoft), but thankfully there is a fix: I have a VPN with London..

        I enable ads for some sites as I appreciate they get some revenue for it, but as ads have now become an oft-used attack vector for malware I'm afraid the ad distributors are left with a simple choice: either start screening every ad they distribute, or face the fact that ads will be more and more blocked. It's not like they're short of funds to do it, so there's no excuse.

    3. flokie

      Re: Independent mobile site

      Their BB10 app was pretty good, and I don't recall distracting ads. "Was" because it stopped fetching up to date news item about two months ago, and it hasn't been fixed since...

    4. Anonymous Coward
      Anonymous Coward

      Re: Independent mobile site

      I agree the Independent site is a bit terrible ... but just as a data point, my mobile browsing of it with firefox+ghostery isn't plagued by auto-playing video ads.

  4. johnB
    Holmes

    Flash ? Security problem ?

    Move along, nothing to see here...

  5. Anonymous Coward
    Anonymous Coward

    simple maintenance

    WP gets the blame, but this is the site owner's fault. Not long ago crufty old Solaris servers with ancient never-patched versions of Apache were the main vector of attack. Now its WP installs whose platform (some version of Linux or Windows), is running the bare minimum version of PHP and MySQL it will run on without patching being served up by an nginx instance whose configuration was cobbled together from disparate forum posts spanning a variety of platforms over several years. Combine that with the changing of the guard at most companies where the rigorous maintenance by experienced sysadmins is giving way to cheap contract labor who don't know the difference between an inode and nodejs, and you've got a prescription for disaster. The PHBs have finally done it: they've broken the system. Looks like "no streaming for old men" in the near future. Good. We need to go back to reading books. All those pop-up ads were giving me a headache.

  6. JanCeuleers

    Are ad flingers suppliers

    Surely advertising brokers are customers of websites on which their adverts appear, not suppliers?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019