
Mysterious spike in WordPress hacks silently delivers ransomware to visitors - pavornyoh
http://arstechnica.com/security/2016/02/mysterious-spike-in-wordpress-hacks-silently-delivers-ransomware-to-visitors/
======
thecodemonkey
Hacks like these are scary, and unfortunately they happen way to often.

The fundamental problem here is that it's a "cat and mouse" game. As soon as
your WP install have been patched, it's just a matter of time before a new
vulnerability has been discovered.

Shameless plug: We built a WordPress hosting platform[1] that protects your
entire website by only making a static copy of the site publicly available.

[1] [https://spudpress.com/](https://spudpress.com/)

~~~
lightlyused
Why are they scary? The fact that the wordpress code base can be exploited in
ways the developers didn't think is not scary, it is stupid. If there was ever
a code base that needs rewritten I give you wordpress.

~~~
arpa
Wordpress is a glorious example of a wrong product gaining popularity for all
the right reasons. I mean, it's bad. It's extremely, extremely, extremely bad.
You look at the code and you see an army of monkeys happily shitting line
after line of spaghetti; you open up database only to see hundreds of tables
painfully obviously created by people who might have heard phrase "database
normalization", but never looked it up; you try to make it do other stuff
except blogging (e.g. add another language), you end up in horrible pains. But
you open up admin and suddenly you understand why it's popular. It's design is
sleek. The end user will never know the horror that lurks underneath it. It
has myriads of plugins written by worse hacks than WP core team, but the user
will never know that for he has no knowledge. It has seas of free templates
(some of which contain dubious php code), but hey, they are free and they look
good. And damn it's popular and that many people just can't be wrong. After
all, if you say it's bad and should be nuked from orbit just to be sure, it's
you who's wrong - because you haven't done any better and that is sufficient
grounds for calling you incompetent... TL;DR: exploits in wordpress? I would
have told you so _years_ ago.

~~~
scotchio
> Hundreds of tables?

Not picking sides on this whole thing - but cutting the sensationalism on this
comment a bit.

WordPress's default database structure isn't complex at all. If you have an
abnormally large amount of tables, that's probably because you're using a
bunch of plugins to do simple easy things - your own self created Hell that
you kind of deserve for being plugin crazy lazy developer.

There's basically these main tables to care about:

\- `wp_posts`: for posts...

\- `wp_postmeta`: for post meta...

\- `wp_options`: for global defaults...

\- `wp_terms`: for taxonomies...

\- `wp_users`: for users...

\- Some others / relationships / comments / etc...

Pretty simple - nothing complex going on at all. The biggest problem used to
be that there wasn't a meta table for `wp_terms`. The "standard" was to
actually save taxonomy/term meta in the `wp_options` table with it's own key
value reference. Terribly not normalized, terribly inefficient at scale.

My beef has never been too much tables but the lack of tables. There
definitely needed to be a `wp_termmeta` table. Fortunately, it was added in
WordPress 4.4. For perspective though, I think that was only a month ago.

~~~
lightlyused
Meta tables are a horrible design pattern. Yes, let's serialize our data and
shove it all into one column.

