back to article If your websites use WordPress, put down that coffee and upgrade to 4.8.3. Thank us later

WordPress has a security patch out for a programming blunder that you should apply ASAP. The fix addresses a flaw that can be potentially exploited by hackers to hijack and take over WordPress-powered websites, by injecting malicious SQL database commands. The core installation of WordPress is not directly affected, we're …

  1. cd

    Thank you, Mr. Ferrara.

  2. Hans 1 Silver badge
    WTF?

    It is 2017 and paid devs have not heard of bind variables

    cf title

    1. Fruit and Nutcase Silver badge
      Alert

      Re: It is 2017 and paid devs have not heard of bind variables

      It is 2017 and "Injection" is still #1 on the OWASP Top 10

      https://www.owasp.org/index.php/Top_10_2017-A1-Injection

      If you are a developer and not heard of OWASP - well, better late than never...

      https://github.com/OWASP/DevGuide

      https://github.com/OWASP

    2. Spudley

      Re: It is 2017 and paid devs have not heard of bind variables

      It is 2017 and paid devs have not heard of bind variables

      It's 2017, and people are still using WordPress, which hasn't updated the APIs for its database library in over a decade, in the name of backward compatibility.

      [Almost] everyone else in the PHP world has moved on and is using proper variable binding on their DB queries, but WP is stuck in the past.

      WP does in fact pretend to do variable binding -- you pass an array of variables into a method called prepare(), just as you would expect. But internally, it then uses basic string replacement to embed those variables into the actual query. Go and look at Ferrara's blog post to see the full horror of the code for WPDB::prepare. If you're using WordPress, then you are using this code. Go and read it and understand it. Now take a step back and rethink your choice of CMS.

  3. Vector

    "If your websites use WordPress, put down that coffee and upgrade..."

    again.

    FTFY

    Must be Tuesday.

  4. arctic_haze Silver badge

    It's better than Windows

    Today I received an email stating that:

    "Howdy! Your site at http://[censored].com has been updated automatically to WordPress 4.8.3.

    No further action is needed on your part."

    Another job well done, as robot Bender used to say!

    1. Pen-y-gors Silver badge

      Re: It's better than Windows

      You lucky, lucky, bastard!

      Today I got an email saying "Hiya! Your site at http://squirrellovers.org has been updated automatically to WordPress 4.7.7."

      To be fair, it also included a link to upgrade to 4.8.3, which took seconds

      1. James Ashton

        Re: It's better than Windows

        The 4.7.7 update is just exactly the same patch as the 4.8.3 patch. WordPress appears to apply security patches to older versions going back a long way, which is nice. Updating from a 4.7 to a 4.8 release is not necessary for security reasons and will probably change the way your site looks, or even break it if you use customisations or plug-ins.

        Best practice would be to have a test site to try any upgrade first, before upgrading your production site. I usually just risk it and allow auto-updates for patches that only increment the third part of the version number but changes in the second number are too dangerous to skip testing if your site is commercial.

        1. Captain Scarlet Silver badge

          Re: It's better than Windows

          Wow you are lucky, only one of our sites are currently 4.7.x and I keep getting "BEH such and such site has outdated software" by our overlords (RTFM is my normal response).

  5. WibbleMe

    600 WP websites... Automatic Update plugin does it all for me. Im in bed.

    1. Charlie Clark Silver badge
      Facepalm

      Yes, because it's not as if that plugin has ever been targeted…

      1. Captain Scarlet Silver badge

        Thats weird, I thought most Wordpress specific hosts have a routine to update plugins as well as core at set times (To reduce load).

  6. Phil Endecott Silver badge

    PHP FFS

    In your "Perl the most hated programming language" story I was going to going to vote "No, PHP is even more disgusting". But then I saw you also had Visual Basic as an option, and that has actually caused me even more pain.

    Honestly all three should be nuked from space.

    1. Charlie Clark Silver badge

      Re: PHP FFS

      Of the three I hate PHP the most because it copied too much from Perl. VB is truly awful but it's also on the way out.

  7. Spudley

    While the veep acknowledged that many of the people working on WordPress are volunteers, he expressed frustration at the group's attitude towards security.

    This.

    This is why I refuse to allow any project I'm involved in to use WordPress.

    WP is a platform with a history of poor quality code. Unlike other platforms with similar history, they have steadfastly stuck to the position of avoiding breaking changes, which means that many of their APIs still have fundamentally broken conceptually -- for instance it is virtually impossible to write a WP plugin without using WP's global variables, and the database library still auto-escapes your input data a-la 'magic quotes'.

    The rest of the PHP world has moved on from stuff like this and swallowed the need to break compatibility but WP has got such a big legacy of plugins and people relying on them that they just can't seem to move forward.

    They can keep plugging the holes as they find them, but honestly, without major architectural changes, the platform is not fit for purpose and should not be used.

    Compare with Drupal, which has a similar lineage, but has had several major overhauls to its code-base, and today has a reasonably well-written core. Or compare with Joomla, which had the advantage of being properly architected from day one and has always had a well-structured core, but even then has not been afraid to break compatibility when they needed to move forward.

    I'm not saying that those platforms (or any others) are perfect, but they are fundamentally better quality than WordPress at a deep level. I challenge anyone using WordPress to justify why they continue using it.

    Applications like WordPress (and to an even greater extent, some of its plugins) are the reason why PHP continues to have a poor reputation among some developers. The language itself and its ecosystem have moved forward, but WP remains stuck in the past.

    1. seanb-uk

      Justify using Wordpress? I guess people use it because it's easy, it's included with cheap hosting packages (or you can have Wordpress host it for you), and the huge variety of plugins make it flexible.

      It's possible for almost anyone to set up a quick blog with more features than, say, Blogger. I don't know how it compares with the point and click setups (maybe Wix, judging purely by their ads - no personal experience to judge), but that's the justification. People don't care about the details - they want a pretty website easily and quickly.

      I'm sympathetic to that, but less sympathetic towards businesses that rely on Wordpress, shoehorning shopping carts and other add-ons onto a platform that really isn't designed for that kind of content.

      1. Spudley

        I'm sympathetic to that, but less sympathetic towards businesses that rely on Wordpress, shoehorning shopping carts and other add-ons onto a platform that really isn't designed for that kind of content.

        Yeah, those are the people I was thinking of when I said to justify using it.

        I also point my finger at the agencies that encourage those businesses to use it. These people use and develop for WordPress at a deep level all day every day. They must be aware of the issues, and yet they just don't seem to be able to wean themselves off the platform.

    2. wolfetone Silver badge

      "Compare with Drupal, which has a similar lineage, but has had several major overhauls to its code-base, and today has a reasonably well-written core."

      I would sooner shit out a hedgehog backwards than work with Drupal. It's awful. Always has been, continues to be so. Even the inclusion of Symfony components don't improve it. And I say this as a guy who, too, would take the hedgehog than use WordPress.

      WordPress is the darling of the web agency world, just because it's so easy to set up and expand with 3rd party plugins. Plus you have the benefit of outsourcing WordPress builds to those in India while you stay in the UK and drum up more business. Business from those businesses who don't give a shiney shite about how the website works, they just want a website "To get to the top of Google".

      But then what happens when WordPress needs updating? A vanishingly small amount of agencies will update them when needed, but how long do you do that for a website that paid £5,000 8 years ago and only pays you the minimum for hosting? More often than not (like I've said many times before) the agencies either don't bother, care, or charge the customer for the updates. If the customer says no, the site doesn't get updated. Putting their site at risk, which is a horrific thought when you consider what @Spudley mentioned, as these sites have shopping carts etc added.

      It's horrific software that exists because it gets the job done for the most minimal of outlays both in terms of time and developer resources.

  8. David Gosnell

    Good riddance

    Only a couple of days ago I shook off the one and only WordPress website I hosted, on an "as is" goodwill basis, after it showed me little reciprocal goodwill. A hacker (I hesitate even to use the term, it was obviously so easy) managed to walk straight in and make a heck of a mess. Whether it was due to this vulnerability I have no idea, and now no longer especially care.

  9. Anonymous Coward
    Anonymous Coward

    Alternatives to WordPress?

    I knew that WordPress had been rightly criticised for having had poor code in the past, but I didn’t know that it was still built on foundations of sand; I had hoped that the cruft would have been gradually removed during various major updates. Unfortunately, it rather sounds as though it has become the Matt’s Script Archive of the CMS world, pun intended.

    As others have said, WordPress is popular because it is popular, and so, as well as being easy to install, it has a large ecosystem developed around it and a large user/support base.

    If WordPress really still is considerably flawed from the ground up, what similar open source blogging platform or lightweight CMS would any of you recommend in preference instead?

    1. wolfetone Silver badge

      Re: Alternatives to WordPress?

      OctoberCMS is a good alternative.

      1. Kiwi Silver badge
        Pint

        Re: Alternatives to WordPress?

        OctoberCMS is a good alternative.

        Thanks! Been looking for one that ticks a few boxes, and may've actually found it finally!

    2. Spudley

      Re: Alternatives to WordPress?

      If WordPress really still is considerably flawed from the ground up, what similar open source blogging platform or lightweight CMS would any of you recommend in preference instead?

      Almost any of them will be a better choice than WP to be honest, but it depends what you're looking for.

      If you're looking for a good ecosystem beyond the core CMS (ie plenty of plugins and support), try Joomla.

      If you're looking for a platform with a reputation for scalability, look at Drupal.

      If you're looking for a good newcomer that majors on clean code and ease of use, try OctoberCMS.

      If you're looking for a free CMS but with commercial backing, try CraftCMS

      If you're looking for a focus on security, try Concrete5.

      But that's just the first few I could think of, and all in the PHP world. There's a mountain of other competing CMS platforms out there. Not many of them are trying to be WordPress because WP themselves have that market well and truly cornered, but they all have their strengths. It's worth trying out a few to see which works best for you.

  10. myhandler

    Only just spotted this - upgraded the personal WP site I maintain.

    Looking at Mr Ferrara's post it seems that WP still uses the mysql database driver, not PDO (or mysqli).

    How long has it been deprecated ? Six years? That's inexcusable.

    But I still don't see why fixing it properly should break plugins?

    1. Spudley

      Looking at Mr Ferrara's post it seems that WP still uses the mysql database driver, not PDO (or mysqli).

      How long has it been deprecated ? Six years? That's inexcusable.

      But I still don't see why fixing it properly should break plugins?

      It can't be using the old mysql driver because WordPress supports PHP 7 which no longer includes it. However, it does use its own database wrapper. This wrapper has been upgraded so it doesn't use the mysql driver any more, but it still exposes the same original API that it always did, so it isn't using any modern DB techniques internally like prepared statements, even though it is internally using a DB driver that would support them.

      Worse than that, the API was written to emulate prepared statements, and a number of recent WP flaws (including this one) have come about as a direct result of the poor quality implementation of this feature.

      So it may not be using the mysql driver, but it may as well be, because it the API it presents dates back to the days of that driver and carries with it all the flaws and compromises that were made back when it was first written. And you're right, that is inexcusable.

      The sad thing is that they really can't fix it, because fixing it would completely break the entire WordPress ecosystem.

      It would indeed break all the plugins because the only way to fix it properly is to radically overhaul WP's DB library, including the API that it exposes, which is of course used by every WP plugin there is.

  11. Solarflare

    If your websites use WordPress, put down that coffee and upgrade to 4.8.3. Thank us later it down.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019