back to article Your WordPress and Drupal installs are probably obsolete

Many of the UK's biggest firms are running outdated versions of their Drupal and Wordpress Content Management Systems (CMSes). Threat management company RiskIQ conducted research across the top 30 organisations in the UK (FTSE-30), looking specifically at Wordpress and Drupal instances visible on the open web. At least three …

  1. Paul Crawford Silver badge

    Do these programs have the "shifting shit" problem? You know when you have to upgrade to fix bugs and vulnerabilities, but the muppets in charge of design have broken so many plugins and APIs with little regard to reverse-compatibility that many folk simply give up and leave it and try to ignore the risk.

    1. fidodogbreath Silver badge

      I don't use Drupal, but in recent years the WordPress devs seem to have adequate adult supervision.

  2. Hans Neeson-Bumpsadese Silver badge

    Numbers

    Across the publicly accessible web sites of the FTSE-30 we found 1069 web sites

    An average of over 35 websites per company, not counting ones that aren't running WordPress or Drupal. Seems like a lot

    1. Dadmin

      Re: Numbers

      Not really. Consider the number of employees at the Footsie 30 companies, and the number of front-facing departments with a need to interact with the outside world for this or that an average of only 35 per seems reasonable. Their intranets will have even more sites, and without a caretaker for the CMS versions, or a design methodology that centralizes the content, they can slip behind versions pretty quickly. And that leaves known holes open. Plus these may have lots of static content, so there's probably a very real "setup and forget" mentality and accompanying small budget. "Why would anyone break into our <online thing>? No one would, it's not a target, so we need take no action." And they do, so here we are again. Doing nothing about security is what most enterprises do best, and that's good sport for the malwarevians.

  3. wolfetone Silver badge

    Why is anyone surprised? The only time websites are a concern to most companies (excluding e-commerce sites, obviously) are when they go down. And if they get hacked, their PR company has the generic "We were the victims of a sophisticated attack" and "We take customer data security very seriously".

    I'm sure now that most companies with websites view the liabilities with them like Ford did with the Pinto.

  4. fidodogbreath Silver badge

    Challenge to keep up to date

    I have a small personal WordPress site that (like most sites) is constantly under attack. Like many IT types, I had no experience with WP; and since I don't log into the site very often, things kept getting out of date. Here's my trial-and error-tested recipe for keeping WP up to date and secure:

    * Install WordFence. I put this first because it's key to protecting a site that IT doesn't manage. In addition to its many security features, WF (even the free version) scans the site daily for out of date plug-ins, and sends an email when something needs an update. Beyond awesome.

    * Enable automatic WP updates. Maybe I'm just lucky, but I've never had a problem with them.

    * Use a stock WP theme, with a child theme for customizations (404 page, footers, etc). The stock themes are well-maintained by the WP devs, and using a child theme means that you can install updates without breaking your tweaks.

    * Stick with highly popular, well-maintained plugins: WordFence, Updraft Plus (backup), Yoast (SEO), etc. They're always updated as soon as a new WordPress version is released.

    * Disable comments and account creation. Unless the core purpose of the site is to converse and interact, comments are way more trouble than they're worth. As are most people, for that matter, but maybe that's just me.

    And, of course, the "eat your veggies" stuff:

    * Turn off / disable / uninstall every feature or plugin that you don't need for operation.

    * Delete the default admin account, and create a new one with a long username -- which does not contain any variant of "admin" or the site name -- and a long, random password.

    * Use a good hosting company that keeps their boxen up to date.

    Even Marketing can run a secure WordPress site if they follow those tips.

    1. Steve Holdoway

      Re: Challenge to keep up to date

      Re wordfence... stores loads of stuff in the database. Only way to clear down is to set the option and disable/enable it. The alternative is to wonder why your site runs like a dog...

    2. Seriouscyrus

      Re: Challenge to keep up to date

      I've found the wp updates to be pretty reliable too.

      I really wanted facilities to comment on mine, but i sure as hell don't want to look after random signups and user accounts, so i plugged in disqus which seems to work well and takes away much of the responsibility.

    3. Richard Lloyd

      Wordfence and readme.html

      Wordfence is a useful plugin, though I really don't like the fact that it renames readme.html to readme<long_hex_string>.html at the top level of your WP site by default, in the name of "security through obscurity" (the file has the WP version number in it). The snag is that readme.html is a *core* WP file (involved in the core checksumming routines used by WP-CLI amongst others) and no plugin should ever modify/rename/delete a core file. I've posted up to the Wordfence forums about it, but can't convince the devs to make the default not to "Hide WordPress version"...

  5. Greg J Preece

    It wouldn't surprise me if my Drupal site was vulnerable on any given day. There seems to be a patch every 5 minutes. Every time I log into the control panel it's yelling at me about something. Here, let's try right now....

    Yup, new patch version of Drupal core. Admittedly, Drupal updates have gotten way easier over the years. Non-core modules can be updated with a couple of clicks, and core stuff can be done through drush with minimal pain.

  6. John Brown (no body) Silver badge

    Many in the infused community

    Tea drinkers have concerns about CMS? Or did the auto-correct not like InfoSec?

    No, as it happens I don't email access from here hence the lack of a corrections email ;-)

  7. batfastad

    Durpal

    Drupal is an absolute pile.

    Well really all generic CMS are cr4p IMO compared to something built specifically for the job using a proper framework. But Drupal is absolutely the worst.

  8. Anonymous Coward
    Anonymous Coward

    Sorry, but that is utter, utter tosh

    Honestly, if someone has been running a public facing webserver anywhere NEAR the network segment where such critical and sensitive data was being stored they really deserve all the legal trouble they get.

    The closest a public facing webserver should ever get to your data is via a pinhole from a DMZ, and even then you have to think twice about what you allow it to see.

    Such data is vital enough to require its own controlled subnet. Breaching a public resource should have made no difference whatsoever.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019