back to article Updated your WordPress plugins lately? Here are 320,000 auth-bypassing reasons why you should

A pair of widely used WordPress plugins need to be patched on more than 320,000 websites to close down vulnerabilities that can be exploited to gain admin control of the web publishing software. The team at WebArx, a security firm specializing in WordPress and other CRM and publishing platforms, took credit for discovering and …

  1. john.jones.name
    Mushroom

    security as default

    I wish wordpress would include better security:

    CSP

    DNSSEC checks

    X-XSS-Protection

    Referrer-Policy

    X-Content-Type

    it really is not that hard to fold into the core

  2. sbt Silver badge
    Facepalm

    Are WordPress plugin developers the worst, or ...

    ... is it just the platform is particularly vulnerable? It's like the replacement for Adobe Flash in the low security stakes.

    1. DougMac

      Re: Are WordPress plugin developers the worst, or ...

      I think it just atracks the sort of people that shouldn't be coding, based on my dealings with "Word Press Web Designers".

      The ones that ask me how to get access to their CSS, I point to the file, and they have no idea what I'm talking about. CSS doesn't go into a _file_. Its _in_ the website.

    2. brotherelf
      Pint

      Re: Are WordPress plugin developers the worst, or ...

      There's also option c: it has enough market share to make this a headline. (Almost a decade with a Python-based CMS lets me assure you: people can code crap in any language.)

      And always, there's option ℵ₀: all of the above.

    3. rmason Silver badge

      Re: Are WordPress plugin developers the worst, or ...

      I agree.

      IT'#s not that wordpress is bad, per se, it's that it's allowed an entire flood of "web developers" who really mean "I pick a nice template/theme then it's just next-next-next-fill in text boxes-next-done.

      1. Anonymous Coward
        Anonymous Coward

        Re: Are WordPress plugin developers the worst, or ...

        “ an entire flood of "web developers" who really mean "I pick a nice template/theme then it's just next-next-next-fill in text boxes-next-done.”

        Nothing wrong with that at all. It’s essentially no different to You writing a letter using a word processor made by MS, LibreOffice, etc, rather than you coding your own word processor from scratch!

        1. DCFusor Silver badge

          Re: Are WordPress plugin developers the worst, or ...

          Wrong comparison. It's like using all fill-in defaults - that only speak to default questions, vs learning to structure and write English paragraphs correctly - or how to tell a story, or how to communicate a concept, not compared to writing your own set of ignorant defaults.

    4. GiantKiwi

      Re: Are WordPress plugin developers the worst, or ...

      Not at all, Drupal has some quite awful vulnerabilities in it produced by developers who've stopped maintaining the modules despite lots of users still having them active, but it doesn't get the same coverage because of it's pitiful market share. The sector I work in believes Drupal to be all singing, all dancing, lord of all - whereas i'd quite like to drop it's use into the Marianas Trench.

      1. moiety Silver badge

        Re: Are WordPress plugin developers the worst, or ...

        You have to take Drupal to bits to update it too. Or did, last time I used it. Which means that updating gets delayed because it's a pain in the arse. Compare that with Wordpress' "Update Now" button.

    5. NATTtrash

      Re: Are WordPress plugin developers the worst, or ...

      ...WordPress is an extremely popular target for attackers...

      Very true. If I only got money for every time...

      2020-01-15,08:09:14,137.74.176.165,404,GET,/wp-admin/install.php

      2020-01-15,08:09:37,137.74.176.165,404,GET,/blog/wp-admin/install.php

      2020-01-15,08:09:55,137.74.176.165,404,GET,/wp/wp-admin/install.php

      2020-01-15,08:10:08,137.74.176.165,404,GET,/wordpress/wp-admin/install.php

      2020-01-15,08:10:21,137.74.176.165,404,GET,/new/wp-admin/install.php

      2020-01-15,08:10:39,137.74.176.165,404,GET,/old/wp-admin/install.php

      2020-01-15,08:11:20,137.74.176.165,404,GET,/test/wp-admin/install.php

      2020-01-15,08:11:59,137.74.176.165,404,GET,/main/wp-admin/install.php

      2020-01-15,08:12:12,137.74.176.165,404,GET,/site/wp-admin/install.php

      2020-01-15,08:12:26,137.74.176.165,404,GET,/backup/wp-admin/install.php

      2020-01-15,08:12:39,137.74.176.165,404,GET,/demo/wp-admin/install.php

      2020-01-15,08:12:59,137.74.176.165,404,GET,/home/wp-admin/install.php

      2020-01-15,08:13:16,137.74.176.165,404,GET,/tmp/wp-admin/install.php

      2020-01-15,08:13:36,137.74.176.165,404,GET,/cms/wp-admin/install.php

      2020-01-15,08:13:54,137.74.176.165,404,GET,/dev/wp-admin/install.php

      2020-01-15,08:14:09,137.74.176.165,404,GET,/portal/wp-admin/install.php

      2020-01-15,08:14:27,137.74.176.165,404,GET,/web/wp-admin/install.php

      2020-01-15,08:14:50,137.74.176.165,404,GET,/assets/wp-admin/install.php

      2020-01-15,08:15:09,137.74.176.165,404,GET,/temp/wp-admin/install.php

      2020-01-15,08:15:28,137.74.176.165,404,GET,/2018/wp-admin/install.php

      2020-01-15,08:15:47,137.74.176.165,404,GET,/2019/wp-admin/install.php

      2020-01-15,08:16:06,137.74.176.165,404,GET,/bk/wp-admin/install.php

      2020-01-15,08:16:29,137.74.176.165,404,GET,/wp1/wp-admin/install.php

      2020-01-15,08:16:50,137.74.176.165,404,GET,/wp2/wp-admin/install.php

      2020-01-15,08:17:08,137.74.176.165,404,GET,/v1/wp-admin/install.php

      2020-01-15,08:17:26,137.74.176.165,404,GET,/v2/wp-admin/install.php

      1. Bronek Kozicki Silver badge
        Happy

        Re: Are WordPress plugin developers the worst, or ...

        Dude, that's way too many bad requests from a single IP, I do recommend you use something like fail2ban :)

        1. Peter X

          Re: Are WordPress plugin developers the worst, or ...

          ^ this.

          But if anyone needs it, here's my current list of OVH banned IPs (it's _always_ OVH that keep hammering away):

          iptables -A badbot-ovh -s 5.135.0.0/16 -j DROP

          iptables -A badbot-ovh -s 5.196.0.0/16 -j DROP

          iptables -A badbot-ovh -s 37.187.0.0/16 -j DROP

          iptables -A badbot-ovh -s 46.105.0.0/16 -j DROP

          iptables -A badbot-ovh -s 51.38.0.0/16 -j DROP

          iptables -A badbot-ovh -s 51.68.0.0/16 -j DROP

          iptables -A badbot-ovh -s 51.75.0.0/16 -j DROP

          iptables -A badbot-ovh -s 51.77.0.0/16 -j DROP

          iptables -A badbot-ovh -s 51.83.0.0/16 -j DROP

          iptables -A badbot-ovh -s 51.89.0.0/16 -j DROP

          iptables -A badbot-ovh -s 51.91.0.0/16 -j DROP

          iptables -A badbot-ovh -s 51.161.0.0/16 -j DROP

          iptables -A badbot-ovh -s 51.178.0.0/16 -j DROP

          iptables -A badbot-ovh -s 51.195.0.0/16 -j DROP

          iptables -A badbot-ovh -s 51.210.0.0/16 -j DROP

          iptables -A badbot-ovh -s 51.222.0.0/16 -j DROP

          iptables -A badbot-ovh -s 51.254.0.0/15 -j DROP

          iptables -A badbot-ovh -s 54.36.0.0/15 -j DROP

          iptables -A badbot-ovh -s 54.37.0.0/16 -j DROP

          iptables -A badbot-ovh -s 54.38.0.0/16 -j DROP

          iptables -A badbot-ovh -s 54.39.0.0/16 -j DROP

          iptables -A badbot-ovh -s 66.70.128.0/17 -j DROP

          iptables -A badbot-ovh -s 79.137.0.0/17 -j DROP

          iptables -A badbot-ovh -s 87.98.128.0/17 -j DROP

          iptables -A badbot-ovh -s 91.121.0.0/16 -j DROP

          iptables -A badbot-ovh -s 91.134.0.0/16 -j DROP

          iptables -A badbot-ovh -s 92.222.0.0/16 -j DROP

          iptables -A badbot-ovh -s 94.23.0.0/16 -j DROP

          iptables -A badbot-ovh -s 139.99.0.0/16 -j DROP

          iptables -A badbot-ovh -s 142.44.160.0/22 -j DROP

          iptables -A badbot-ovh -s 144.217.0.0/16 -j DROP

          iptables -A badbot-ovh -s 145.239.0.0/16 -j DROP

          iptables -A badbot-ovh -s 147.135.0.0/17 -j DROP

          iptables -A badbot-ovh -s 147.135.128.0/17 -j DROP

          iptables -A badbot-ovh -s 149.56.0.0/16 -j DROP

          iptables -A badbot-ovh -s 151.80.0.0/16 -j DROP

          iptables -A badbot-ovh -s 158.69.0.0/16 -j DROP

          iptables -A badbot-ovh -s 164.132.0.0/16 -j DROP

          iptables -A badbot-ovh -s 167.114.0.0/16 -j DROP

          iptables -A badbot-ovh -s 176.31.0.0/16 -j DROP

          iptables -A badbot-ovh -s 178.32.0.0/15 -j DROP

          iptables -A badbot-ovh -s 188.165.0.0/16 -j DROP

          iptables -A badbot-ovh -s 192.99.0.0/16 -j DROP

          iptables -A badbot-ovh -s 193.70.0.0/17 -j DROP

          iptables -A badbot-ovh -s 198.27.64.0/18 -j DROP

          iptables -A badbot-ovh -s 198.100.144.0/20 -j DROP

          iptables -A badbot-ovh -s 198.245.48.0/20 -j DROP

          iptables -A badbot-ovh -s 213.32.0.0/17 -j DROP

          iptables -A badbot-ovh -s 217.182.0.0/16 -j DROP

          1. Anonymous Coward
            Anonymous Coward

            That's a bit overkill, say what you like about OVH - Not ALL of their network is full of spamming morons.

            We have a fair chunk of stuff on there and if you accidentally spin up a bog-standard Server 2016 (I may or may not have done this recently, whilst distracted) instance on a public facing IP, in it's vanilla format it'll spew out DNS amplification attacks. OVH auto-nuked the instance within the hour, so they are actually quite pro-active with spammy stuff and we're a legitimate partner - Let alone a rogue individual spinning up VPS's solely for scanning/hacking.

      2. Sgt_Oddball Silver badge
        Happy

        Re: Are WordPress plugin developers the worst, or ...

        I used to have a background script running that would poll the logs for just such a value and then block the ip address.

        Always found it to be very helpful towards my stress levels since I could check the firewall logs and smirk at the legions of IPs I was blocking.

        Basic but considering my server had no WordPress (or even php) any such attempts at visiting those urls must be naughty and thus deserving of a smiting.

  3. Bronek Kozicki Silver badge
    Trollface

    I love WordPress

    ... it gives me such a lovely honeypot for my fail2ban rules!

    % cat filter.d/nginx-php.conf

    # There are no PHP sites here, so all .php requests are from hackers only

    [Definition]

    failregex = ^<HOST> -.*"(PUT|GET|POST|HEAD|PATCH|DELETE).*\.php([^a-z0-9 ][^ ]*)? HTTP.*"

    ignoreregex =

    1. waldo kitty

      Re: I love WordPress

      failregex = ^<HOST> -.*"(PUT|GET|POST|HEAD|PATCH|DELETE).*\.php([^a-z0-9 ][^ ]*)? HTTP.*"

      that looks like the beginnings of a snort or suricata IDS/IPS rule ;)

  4. Claverhouse Silver badge
    Mushroom

    Auftragstaktik is Actually Best Practice

    My own shuttered WordPress site will eventually be converted to either a flat html or some other platform.

    Mostly because of their filthy motto, the fascist 'Decisions, Not Options', which translates as 'Developers Decide, Little User', and is really the most offensive decision on the Web. Plus the lunatic upgrade frequency which rivals Firefox for stupidity, and the worst parts of PHP as a language.

    But in this instance, because all outside extensions and add-ons are bound to be unmaintained and die eventually as either do their creators or their creators' interest.

    Which means in effect, if it wasn't for their dumb command conceit, had they wrapped useful conceptions from add-on creators into Core, easy to be included or modified or turned off, as in the Linux Kernel --- by Users, as Options there would be far, far less of a problem.

    Their ultimate control would even be enhanced by having everything under their roof: but that would mean letting Users make Decisions and not themselves. And they can't stand that.

    1. Bronek Kozicki Silver badge

      Re: Auftragstaktik is Actually Best Practice

      For a full flat HTML I recommend Hugo - a really simple and fast static website generator, with lots of themes to choose from. Be prepared for frequent updates, though (to make it simpler I created build-hugo )

  5. JohnFen Silver badge

    I removed WordPress

    Personally, I just stopped using WordPress entirely. The attack surface is too large, and for my purposes, WordPress wasn't really giving me anything more than convenience. So away it went!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020