Thank you, Mr. Ferrara.
If your websites use WordPress, put down that coffee and upgrade to 4.8.3. Thank us later
WordPress has a security patch out for a programming blunder that you should apply ASAP. The fix addresses a flaw that can be potentially exploited by hackers to hijack and take over WordPress-powered websites, by injecting malicious SQL database commands. The core installation of WordPress is not directly affected, we're …
-
-
Wednesday 1st November 2017 01:30 GMT Fruit and Nutcase
Re: It is 2017 and paid devs have not heard of bind variables
It is 2017 and "Injection" is still #1 on the OWASP Top 10
https://www.owasp.org/index.php/Top_10_2017-A1-Injection
If you are a developer and not heard of OWASP - well, better late than never...
-
Wednesday 1st November 2017 10:05 GMT Spudley
Re: It is 2017 and paid devs have not heard of bind variables
It is 2017 and paid devs have not heard of bind variables
It's 2017, and people are still using WordPress, which hasn't updated the APIs for its database library in over a decade, in the name of backward compatibility.
[Almost] everyone else in the PHP world has moved on and is using proper variable binding on their DB queries, but WP is stuck in the past.
WP does in fact pretend to do variable binding -- you pass an array of variables into a method called prepare(), just as you would expect. But internally, it then uses basic string replacement to embed those variables into the actual query. Go and look at Ferrara's blog post to see the full horror of the code for WPDB::prepare. If you're using WordPress, then you are using this code. Go and read it and understand it. Now take a step back and rethink your choice of CMS.
-
-
-
-
Wednesday 1st November 2017 00:31 GMT James Ashton
Re: It's better than Windows
The 4.7.7 update is just exactly the same patch as the 4.8.3 patch. WordPress appears to apply security patches to older versions going back a long way, which is nice. Updating from a 4.7 to a 4.8 release is not necessary for security reasons and will probably change the way your site looks, or even break it if you use customisations or plug-ins.
Best practice would be to have a test site to try any upgrade first, before upgrading your production site. I usually just risk it and allow auto-updates for patches that only increment the third part of the version number but changes in the second number are too dangerous to skip testing if your site is commercial.
-
-
-
-
Wednesday 1st November 2017 09:49 GMT Spudley
While the veep acknowledged that many of the people working on WordPress are volunteers, he expressed frustration at the group's attitude towards security.
This.
This is why I refuse to allow any project I'm involved in to use WordPress.
WP is a platform with a history of poor quality code. Unlike other platforms with similar history, they have steadfastly stuck to the position of avoiding breaking changes, which means that many of their APIs still have fundamentally broken conceptually -- for instance it is virtually impossible to write a WP plugin without using WP's global variables, and the database library still auto-escapes your input data a-la 'magic quotes'.
The rest of the PHP world has moved on from stuff like this and swallowed the need to break compatibility but WP has got such a big legacy of plugins and people relying on them that they just can't seem to move forward.
They can keep plugging the holes as they find them, but honestly, without major architectural changes, the platform is not fit for purpose and should not be used.
Compare with Drupal, which has a similar lineage, but has had several major overhauls to its code-base, and today has a reasonably well-written core. Or compare with Joomla, which had the advantage of being properly architected from day one and has always had a well-structured core, but even then has not been afraid to break compatibility when they needed to move forward.
I'm not saying that those platforms (or any others) are perfect, but they are fundamentally better quality than WordPress at a deep level. I challenge anyone using WordPress to justify why they continue using it.
Applications like WordPress (and to an even greater extent, some of its plugins) are the reason why PHP continues to have a poor reputation among some developers. The language itself and its ecosystem have moved forward, but WP remains stuck in the past.
-
Wednesday 1st November 2017 10:48 GMT seanb-uk
Justify using Wordpress? I guess people use it because it's easy, it's included with cheap hosting packages (or you can have Wordpress host it for you), and the huge variety of plugins make it flexible.
It's possible for almost anyone to set up a quick blog with more features than, say, Blogger. I don't know how it compares with the point and click setups (maybe Wix, judging purely by their ads - no personal experience to judge), but that's the justification. People don't care about the details - they want a pretty website easily and quickly.
I'm sympathetic to that, but less sympathetic towards businesses that rely on Wordpress, shoehorning shopping carts and other add-ons onto a platform that really isn't designed for that kind of content.
-
Wednesday 1st November 2017 11:10 GMT Spudley
I'm sympathetic to that, but less sympathetic towards businesses that rely on Wordpress, shoehorning shopping carts and other add-ons onto a platform that really isn't designed for that kind of content.
Yeah, those are the people I was thinking of when I said to justify using it.
I also point my finger at the agencies that encourage those businesses to use it. These people use and develop for WordPress at a deep level all day every day. They must be aware of the issues, and yet they just don't seem to be able to wean themselves off the platform.
-
-
Wednesday 1st November 2017 11:10 GMT wolfetone
"Compare with Drupal, which has a similar lineage, but has had several major overhauls to its code-base, and today has a reasonably well-written core."
I would sooner shit out a hedgehog backwards than work with Drupal. It's awful. Always has been, continues to be so. Even the inclusion of Symfony components don't improve it. And I say this as a guy who, too, would take the hedgehog than use WordPress.
WordPress is the darling of the web agency world, just because it's so easy to set up and expand with 3rd party plugins. Plus you have the benefit of outsourcing WordPress builds to those in India while you stay in the UK and drum up more business. Business from those businesses who don't give a shiney shite about how the website works, they just want a website "To get to the top of Google".
But then what happens when WordPress needs updating? A vanishingly small amount of agencies will update them when needed, but how long do you do that for a website that paid £5,000 8 years ago and only pays you the minimum for hosting? More often than not (like I've said many times before) the agencies either don't bother, care, or charge the customer for the updates. If the customer says no, the site doesn't get updated. Putting their site at risk, which is a horrific thought when you consider what @Spudley mentioned, as these sites have shopping carts etc added.
It's horrific software that exists because it gets the job done for the most minimal of outlays both in terms of time and developer resources.
-
-
Wednesday 1st November 2017 14:29 GMT David Gosnell
Good riddance
Only a couple of days ago I shook off the one and only WordPress website I hosted, on an "as is" goodwill basis, after it showed me little reciprocal goodwill. A hacker (I hesitate even to use the term, it was obviously so easy) managed to walk straight in and make a heck of a mess. Whether it was due to this vulnerability I have no idea, and now no longer especially care.
-
Wednesday 1st November 2017 21:21 GMT Anonymous Coward
Alternatives to WordPress?
I knew that WordPress had been rightly criticised for having had poor code in the past, but I didn’t know that it was still built on foundations of sand; I had hoped that the cruft would have been gradually removed during various major updates. Unfortunately, it rather sounds as though it has become the Matt’s Script Archive of the CMS world, pun intended.
As others have said, WordPress is popular because it is popular, and so, as well as being easy to install, it has a large ecosystem developed around it and a large user/support base.
If WordPress really still is considerably flawed from the ground up, what similar open source blogging platform or lightweight CMS would any of you recommend in preference instead?
-
Thursday 2nd November 2017 14:32 GMT Spudley
Re: Alternatives to WordPress?
If WordPress really still is considerably flawed from the ground up, what similar open source blogging platform or lightweight CMS would any of you recommend in preference instead?
Almost any of them will be a better choice than WP to be honest, but it depends what you're looking for.
If you're looking for a good ecosystem beyond the core CMS (ie plenty of plugins and support), try Joomla.
If you're looking for a platform with a reputation for scalability, look at Drupal.
If you're looking for a good newcomer that majors on clean code and ease of use, try OctoberCMS.
If you're looking for a free CMS but with commercial backing, try CraftCMS
If you're looking for a focus on security, try Concrete5.
But that's just the first few I could think of, and all in the PHP world. There's a mountain of other competing CMS platforms out there. Not many of them are trying to be WordPress because WP themselves have that market well and truly cornered, but they all have their strengths. It's worth trying out a few to see which works best for you.
-
Thursday 2nd November 2017 13:58 GMT myhandler
Only just spotted this - upgraded the personal WP site I maintain.
Looking at Mr Ferrara's post it seems that WP still uses the mysql database driver, not PDO (or mysqli).
How long has it been deprecated ? Six years? That's inexcusable.
But I still don't see why fixing it properly should break plugins?
-
Thursday 2nd November 2017 14:45 GMT Spudley
Looking at Mr Ferrara's post it seems that WP still uses the mysql database driver, not PDO (or mysqli).
How long has it been deprecated ? Six years? That's inexcusable.
But I still don't see why fixing it properly should break plugins?
It can't be using the old mysql driver because WordPress supports PHP 7 which no longer includes it. However, it does use its own database wrapper. This wrapper has been upgraded so it doesn't use the mysql driver any more, but it still exposes the same original API that it always did, so it isn't using any modern DB techniques internally like prepared statements, even though it is internally using a DB driver that would support them.
Worse than that, the API was written to emulate prepared statements, and a number of recent WP flaws (including this one) have come about as a direct result of the poor quality implementation of this feature.
So it may not be using the mysql driver, but it may as well be, because it the API it presents dates back to the days of that driver and carries with it all the flaws and compromises that were made back when it was first written. And you're right, that is inexcusable.
The sad thing is that they really can't fix it, because fixing it would completely break the entire WordPress ecosystem.
It would indeed break all the plugins because the only way to fix it properly is to radically overhaul WP's DB library, including the API that it exposes, which is of course used by every WP plugin there is.
-
Biting the hand that feeds IT
