back to article WordPress admin? Thinking of spending time with the family? Think again

The Dutch hacking community's Summer of Pwnage (SoP) has disclosed three vulnerabilities in WordPress plugins, including an XSS in the popular Ninja Forms. Since Ninja Forms claims more than 600,000 users, we'll start there: the now-fixed reflected XSS bug allows attackers to inject malicious JavaScript into the victim's …

  1. Anonymous Coward
    Anonymous Coward

    glad its you instead of me.

    My job requires taking care of production servers but so grateful they are not internet facing ones especially ones required to run WP or even PHP. That kind of job is for the sadistic. Especially when the latest 0 day of an endless parade ends up getting upper management's attention due to carelessness of someone else.

    1. Anonymous Coward
      Anonymous Coward

      Re: glad its you instead of me.

      Seems you know little about WordPress then. I'm a somewhat vivid WordPress admin / user (maintain a blog on their website as well as one on my own servers) and this problem didn't bother me at all.

      To put things a bit into perspective: the first plugin claims to have 600,000 users. But over 60 million people use WordPress (source: WordPress.org). So wouldn't it be fair to say that this only bothers a small portion of all the WordPress users out there?

      1. Anonymous Coward
        Anonymous Coward

        Re: glad its you instead of me.

        I would post all the critical WP and plugin CVEs found but it would make for one very very long post. Not quite Adobe Flash long but probably not far off.

        1. Pascal Monett Silver badge

          Re: Not quite Adobe Flash long

          From what I hear about WordPress, they're at least trying to fix things. Adobe gives rather the reverse impression.

          1. Captain Scarlet Silver badge

            Re: Not quite Adobe Flash long

            Its a bit harsh, any CMS or blog platform is subject to the same issues.

            Long ago when my site ran CMS software called e107 the same issues were present where plugins tended to be the easiest way to break in (Unfortunately for me on one occasion where a plugin had moved where files were kept I ended up with old php files which I wasn't aware of).

    2. Anonymous Coward
      Anonymous Coward

      Re: glad its you instead of me.

      Whats PHP got to do with this?

      Are you suggesting PHP is insecure?

      It can be. But theres numerous ways to implement PHP to make it vastly harder than .NET.

      You dont even have to run PHP on the same server as your http daemon. That in itself can add extra security. Subject to your config / network security.

      1. Anonymous Coward
        Anonymous Coward

        Re: glad its you instead of me.

        They're trying to fix things, but they can't. Bailing the Titanic with a teacup.

        Don't kid yourself other anon. PHP is bad, particularly when SQL, HTML, and JavaScript are embedded in it, as they always are. Other popular languages are not good, but PHP is the worst. Take it from a PHP programmer.

  2. Leitchy

    Doesn't Bother Me

    Both my Wordpress sites are set to automatically update when there's a new patch available and I only ever worry when I hear about a vuln in Wordpress base code (hasn't happened in a while) or one of the very few plugins I use.

    I think that's the key; use as few plugins as possible and stay on top of them. Because plugins are where the vulns happen.

    1. Anonymous Coward
      Anonymous Coward

      Re: Doesn't Bother Me

      I think that's the key; use as few plugins as possible and stay on top of them. Because plugins are where the vulns happen.

      Exactly. The real problem is the plug-ins are not vetted properly.

      Here, have a +1 :)

  3. Sirius Lee

    Balance?

    There are tens of thousands of plugins available of variable quality, plugins used in millions of sites based on WordPress You have chosen to single out two. Did the providers piss you off or something.

    If the Dutch group has found only two issues, either that's a significant triumph for WordPress and the majority of plugin authors or a sad indictment of the competence and effort shown by the Dutch group.

  4. mahood

    So what should we use instead?

    I have a small personal website that uses WordPress (and a handful of plugins, automatically updated and regularly checked) running just fine. Whenever I hear about another broken plugin I do another check to ensure I'm up to date and hopefully wasn't running that plugin either.

    Is there a 'better' solution out there? What's the local opinion on the best way to host a personal site with some interactivity (commenting, etc) with minimal maintenance required? I'm not a target for anyone wanting to attack me personally, but with automated scanners going around I know everyone is to some extent.

    I'm aware of sites like Squarespace, Wix & Weebly, where you pay someone else to worry about security and such-like for you... should I just be jumping over there?

    1. Anonymous Coward
      Anonymous Coward

      Re: So what should we use instead?

      > What's the local opinion on the best way to host a personal site

      Don't.

      1. You're not special.

      2. Trolls will attack you just for acting like the world cares about your opinions. The anti-blogging movement is real and I, for one, approve of it.

      3. Running a website is a bloody pain in the arse.

      If you have a useful product or service that absolutely must have a website, make a dedicated website for it and don't make it about you.

  5. Aodhhan Bronze badge

    I think everyone in cybersecurity knows...

    WordPress is a training ground for hacking. Especially the modules. Small files which don't take a seasoned expert to reverse engineer, fuzz, etc.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019