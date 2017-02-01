Hacker News new | comments | show | ask | jobs | submit login
Virally growing attacks on unpatched WordPress sites affects ~2m pages (arstechnica.com)
5 points by geerlingguy 28 minutes ago | hide | past | web | 4 comments | favorite 





    So far, the vulnerable sites under these new attacks are those
    running WordPress plugins such as Insert PHP and Exec-PHP, which
    allow visitors to customize posts by inserting PHP-based code
    directly into them.
This is never a good idea. Don't allow your content admins to add executable code to a CMS!

reply


It's a tradeoff, people have to get stuff done ya know. Proper authentication and authorization controls would have been a better choice.

reply


I'd guess that it was hackers who would even think about creating those plugins in the first place.

reply


> Virtually all of the vandalism is being carried out by exploiting a severe vulnerability WordPress fixed in WordPress version 4.7.2, which was released on January 26. In an attempt to curb attacks before automatic updates installed the patch, the severity of the bug—which resides in a programming interface known as REST—wasn't disclosed until February 1.

Most people use Wordpress for blogging, is generates HTML pages. The Wordpress team, so proud of their new "REST API",had the stupid idea to enable the new REST endpoints BY DEFAULT,even for users who would have no fucking use for it, increasing the attack surface for a CMS which is already not reputed for its secure ecosystem. That was a dumb stuff to do I hope it will push users to move away from Wordpress.

reply




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: