
  Security Threat: WordPress Under Attack  - GVRV
http://www.techcrunch.com/2009/09/05/security-threat-wordpress-under-attack/
======
patio11
I'll admit, this got me to do a quick sweep of my dozen or so WP blogs and
make sure they were all updated. That said, I think its likely we're seeing
TechCrunch Journalism (TM) in action.

Wordpress security is a pain in the keister, though. You can reduce your risk
by:

1) Making regular backups (I like automysqlbackup.sh.) Comprehensive
compromise of a Wordpress installation is only really recoverable by wiping
and starting over, unless you want to find that your forgotten posts from 3
years ago are linking to viagra pharmacies.

2) Putting every Wordpress installation in its own DB with its own DB user.
Don't use root. I have a script which installs WP for me and creates the new
DB, creates the new user, and gives the user an insanely difficult password
because it will never actually be typed by a human.

3) Making sure the Wordpress directories can't get written to by the server. I
go as far as blocking the uploads, which means I have to do some chmod magic
when uploading things.

4) If you can put up with the nuisance, protect the wp-admin directory at the
web server level, for example by denying all IPs but your own, or by putting
it under HTTP Basic authentication. That will cut down drastically on the
number of automated probes that hit you. You don't have to run faster than the
tiger, you just have to run faster than the other guy the tiger is chasing...

~~~
nuclear_eclipse
_do a quick sweep of my dozen or so WP blogs and make sure they were all
updated_

If you install and set up Wordpress Mu [1], you can run all those blogs off of
a single installation, and then not only do you have a contralized install to
manage plugins and themes, but it's far easier to keep a single install up to
date compared to twelve or more...

[1] <http://mu.wordpress.org/>

------
mcav
I've swapped out my Wordpress installation in favor of a static HTML site
generated by a couple of Python scripts. Wordpress is great if you need all
that power, but it isn't maintenance-free. Making things static reminded me
how nice it can be to have a site that is essentially immune to attack and
blazing fast, all without the overhead of dynamic page generation. It's cool
that Movable Type does static generation too.

------
restruct
Ironically, TechCrunch itself appears to be running WordPress 2.7.1 instead of
the latest 2.8.

~~~
onreact-com
Yeah. That's pathetic. You should erase any signs of the WP version you
actually use as this is an open invitation for hackers.

Check out: [http://designblurb.com/remove-wordpress-generator-meta-
tag-h...](http://designblurb.com/remove-wordpress-generator-meta-tag-hack/)

~~~
stse
The only thing you're preventing is people reminding you that you have an old
version. Worms, spiders and exploits doesn't check your version and someone
checking will just see that you have removed it and try anyway.

~~~
onreact-com
There are still plenty of malicious scripts around that check the version.
More advanced ones can't be fooled by that of course.

------
ig1
WordPress is probably the most heavily attacked web apps ever designed. If
your serious about security then don't use Wordpress or always keep up with
releases.

~~~
pbhjpbhj
It gets more good attention too - it's better designed, easier to use, looks
good has a vast range of plugins and templates available for free ...

~~~
tptacek
Wordpress has what is quite possibly _the worst_ security design of any piece
of web software.

~~~
dryicerx
Their no better or worse than any other, their just heavily attacked since
it's so wide spread use.

It's preferable write a exploit of find a flaw in something so widespread and
carpet bomb them all instead of doing the same for a rarely used piece of
software.

~~~
karanbhangui
You do realize you're talking to a security researcher right?

~~~
tptacek
I'm wrong about security all the time. I like it when people argue with me.
But I'm not wrong this time.

------
JDigital
Are hacked Wordpress installations usually running old versions, or is the
latest Wordpress version usually equally vulnerable?

------
Tichy
Any word on how the debian package fares? It is stuck at version 2.5.1, but
hopefully they provide extra patches?

~~~
ionfish
The WordPress core team don't, to the best of my knowledge. The Debian
maintainers may.

------
_ck_
Install this simple plugin on any version of WordPress to block bad queries
like that:

<http://pastebin.com/f6697b79>

It could easily be expanded to also look at $_POST data which is another form
of attack you'll never see in your logs.

~~~
duskwuff
The bad queries show up _after_ your blog has already been hacked.

~~~
_ck_
Part of the attack is via XSS using $_GET queries that are very long. Apache
defaults to accepting URLS up to 4K long which is insane and allows such
attacks to happen. 255 characters is a far better lockdown with very few if
any false positives.

------
onreact-com
This is just business as usual. Wordpress is under attack constantly. One of
my blogs has been hacked 5 times this year already.

Of course updating is not enough.

That's why the Obama campaign used Movable Type instead of WP.

~~~
jonknee
I thought they used Drupal?

