
New attacks today against Wordpress (lots of sites hacked) - sucuri2
http://blog.sucuri.net/2010/05/new-attack-today-against-wordpress.html
======
tptacek
Avoid Wordpress.

Sometimes a short comment is that's warranted.

~~~
elidourado
Entrepreneurs take note. This is a problem that is not being solved. There are
lots of smallish bloggers out there who want more customization than
Blogger/Wordpress.com/Tumblr/Posterous allow, whose best option is Wordpress
and shared hosting. This is a sucky best option. Do something about this; make
some money solving this problem.

~~~
jerf
This is a Turing Tarpit; the only infinitely customizable blog platform is
"PHP" (or your choice of other actual language). And as your customization
possibility space increases, the customization inevitably starts to look like
a language. Because it is.

That's why nobody's "solved" this problem in the last ten years; you can't
have programming language flexibility without programming language complexity.

~~~
staunch
Wordpress is like Apache or Sendmail. A 500-headed monster. It's simple enough
to use and does everything. It's also sloppy and overgrown. Most people don't
need all the extra stuff it does. Certainly not at the expense of security.

Apache => Nginx

Sendmail => Postfix

Wordpress => _______

That is room for an enterprising open source developer.

~~~
pquerna
I'm sorry, what?

Apache doesn't have security issues at all like Wordpress, you are confusing
FLEXIBILITY with INSECURE software.

~~~
staunch
It's had its fair share of problems. Mostly in the past at this point though.
It is heavily bloated and overgrown compared with something lean and mean like
nginx.

Even if Wordpress didn't have security issues there'd be room for an nginx of
blogging.

------
hkuo
I've been using Movable Type for years, the differentiating factor being that
it generates html pages. No worries about database load. No worries about
database hacking, the only access to the data or files being through the admin
login. The additional ability to customize the code at any depth is a plus
too.

------
whimsy
More alternatives:

Bloxsom (perl): <http://www.blosxom.com/>

Jekyll (rb): <http://jekyllrb.com/>

Hyde (py): <http://ringce.com/hyde>

mattwdelong mentioned blogdor (django):
<http://github.com/sunlightlabs/django-blogdor>

bravura suggested blogophile (py): <http://www.blogofile.com/>

~~~
mgrouchy
I use hyde, its pretty nice(unlike my blog).

------
sandGorgon
Hey guys - this is a serious question : what is the alternative.

Is there anything that provides 80% of the features of Wordpress at
significantly higher security ? What about Textpattern ( php), Movable Type
(perl+php), Expression Engine (php), Mephisto (ror), Type (ror)... what ?

~~~
aaronbrethorst
Static HTML files driven off a system like Jekyll or Webby, coupled with
comments from Disqus would be significantly more secure. It's also much less
convenient.

~~~
mccutchen
Or run a local WordPress installation and use `wget` to generate a static HTML
mirror suitable for uploading to your server:
[http://www.idlewords.com/2009/09/using_wordpress_to_generate...](http://www.idlewords.com/2009/09/using_wordpress_to_generate_flat_files.htm)

------
sucuri2
Hey,

For anyone having problem cleaning it up, we have a simple script to do it for
you: [http://blog.sucuri.net/2010/05/simple-cleanup-solution-
for-l...](http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-
latest.html)

------
sucuri2
Details of the code are here:

<http://sucuri.net/malware/entry/MW:MROBH:1>

I am wondering what google will do if they keep doing malware to hide from
them. Their blacklist will become useless.

~~~
tptacek
That code doesn't really say anything about how the blogs were compromised, or
anything interesting about what the attackers did with it (yup, they added js
to the page via PHP, like every other WP attack).

~~~
sucuri2
I agree. I wish I knew how they were getting in. All the sites we got access
so far had no logging enabled.

~~~
Hoff
I have an odd XSS Javascript attack attempt captured in my logs this morning.
It's an XSS attack I've not seen before.

------
shadowsun7
Question: is there _any_ way to make Wordpress more secure? Otherwise, why're
most people here recommending a move away from Wordpress?

(Not saying they're wrong, just ... curious.)

~~~
steveklabnik
The problem stems from a history of flaws in Wordpress' code, not its
administration.

------
ericz
I wonder if Wordpress is especially poor security-wise or simply it's
popularity attacts too much bad attention.

~~~
jerf
I wanted to snark "yes", but truthfully, the problem is that Wordpress'
security has been average, not especially bad. The problem is that average is
terrible. Most average products don't get hit with this level of scrutiny, but
certainly the sort of errors that Wordpress makes with frightening regularity
are made by numerous other commercial and open source projects as well.

~~~
tptacek
There are unforced errors in Wordpress. Every web application will have a
cross-site scripting mistake. It takes a special one to have "anonymous
commenter" -> "admin" privilege escalation, or executable style templates.

~~~
jerf
Alas, I could (but won't) name fairly equivalent errors made at a place that I
may or may not work. (If not worse than the ones you mention.) I think the
only place we differ here is our exact level of cynicism. "More cynical than
tptacek" probably means I need to tone it down.

~~~
tptacek
That is my favorite Hacker News comment sentence of the year. Thanks.

------
neurotech1
One thing that was mentioned in the linked page is Fantastico, the auto-
installer for cPanel. I checked and currently they are including WP
2.9.2(latest) but there is sometimes a delay updating Fantastico. On top of
that, the hosting clients may not know how to update their WP install anyway.

------
bcl
I have seen no evidence that recent problems are anything other than shared
hosting sites getting cracked. Note to admins -- running your system with all
the virtual host files owned by apache is asking for trouble. Use something
like the itk patch for Apache (<http://mpm-itk.sesse.net/>) where each virtual
owns its files and uses normal permission restrictions to control access to
the rest of the system.

Although this won't help those of you who are bone-headed enough to chmod 0777
all of your files...

------
nym
How can one identify if they've been compromised?

Is there any kind of fix?

~~~
pronoiac
Working from [http://www.wpsecuritylock.com/breaking-news-wordpress-
hacked...](http://www.wpsecuritylock.com/breaking-news-wordpress-hacked-with-
zettapetta-on-dreamhost/) If your page has references to base64_decode,
zettapetta, or indesignstudioinfo in the source, I'd be worried. For a fix,
see [http://blog.sucuri.net/2010/05/simple-cleanup-solution-
for-l...](http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-
latest.html)

------
lkrubner
WordPress is easy to learn. Technologies that are easy to learn tend to
attract a lot of people. Once the people learn enough that they are no longer
beginners, then they want more features, more abilities. Rewind the clock to
1999 and you could say the same thing about PHP. It did well because it was
easy for beginners to learn.

I think a lot of the people who read Hacker News are people with considerable
experience in the tech world. As such, it is easy for them to underestimate
the importance of having some technologies that are easy for beginners to
learn. It is easy to make fun of a beginner. But everyone starts off as a
beginner. More so, technologies that are easy to learn tend to have a
resilience that complicated technologies lack. There will always be some
version of BASIC out there, even as other, better languages are forgotten.

I do most of my development with Symfony. As such, there is a part of me that
thinks application frameworks (Symfony, Ruby On Rails, Django) should be used
for all projects. But the application frameworks are only for experienced
programmers. I would have felt overwhelmed if my first exposure to computer
programming had been Symfony, or Ruby on Rails, or Django.

WordPress does a fantastic job enabling relative beginners to achieve a lot.
It deserves praise for that. It offers people a smooth path to move deeper
into programming, should they wish to move that way. I've had friends who
first learned PHP dealing with WordPress, and later became good PHP
programmers overall, and more recently I see them learning other technologies.
In another era they might have learned with Visual Basic or Hypercard or
Applescript or any of the previous attempts to build systems that enabled
beginners to program. But for the last few years, WordPress has occupied that
niche in the world of programming.

More so, WordPress is a great platform for web designers to work from. For the
intelligent designer who does not want to become a programmer, WordPress lets
them do a lot of customization, without knowing much of the technical details
of what they are doing.

It is easy to curse WordPress for its security flaws. For that reason, it is
important to remember how good it is at the things it gets right.

I agree with elidourado: this is an opportunity for entrepreneurs. The
popularity of WordPress, and its occasional problems, provides a good market
for services that help designers and other programmers achieve what they wish.
Darren Hoyt and I started one such service, a paid question and answer site
focused on WordPress:

<http://www.wpquestions.com/>

It is also worth noting that WordPress is one of the larger categories on
eLance:

<http://www.elance.com/skills_directory>

It is appropriate to complain about the security flaws in WordPress, but
entrepreneurs will also think hard about what kind of services can help all
the people who need help with it.

