Wordpress.org Warns of Active Worm Hacking Blogs 103
Erik writes "Wordpress, the popular open-source Content Management System (CMS) for many thousands of bloggers worldwide, is under attack from a 'clever' worm that automatically compromises unpatched versions of the Wordpress system. The particularly nasty bug crawls the web for vulnerable Wordpress installations, installing malware, deleting content, and generally wreaking havoc wherever it can. Today, Wordpress founder Matt Mullenweg eloquently implored Wordpress bloggers to update more frequently. Originally, updating the Wordpress system was a rather laborious process; however, newer versions offer fast and simple one-click upgrades. The two most recent versions of Wordpress (2.8.3 and 2.8.4) cannot be attacked by the worm discovered this week, and blogs hosted at Wordpress.com are also apparently immune."
"Clever?" (Score:5, Insightful)
There have been widespread worms that did this sort of thing before (phpBB comes to mind). Does this one do anything novel that makes it deserve the adjective "clever?"
-:sigma.SB
Hey Wordpress... (Score:5, Insightful)
Maybe you should stop putting the Wordpress version in meta tags on the page? Or at least make it opt(-in)ional?
the problem with one-click upgrades (Score:4, Insightful)
If wordpress.org is hacked, again [wordpress.org], their one-click upgrade feature means instant ownage for all Wordpress blogs everywhere.
Re:Hey Wordpress... (Score:5, Insightful)
I wouldn't say it is snake oil. Putting versions in a page allows you to Google for it. Which makes the attack a lot easier. It also allows the attacker to do reconnaissance a lot less detectably a hold of time, and then spring it on everyone at once.
maybe if they used their release notification list (Score:1, Insightful)
http://wordpress.org/download/ [wordpress.org]
When you download Wordpress, you're asked for your email address for release notifications. Shame they don't actually use it:
http://wordpress.org/support/topic/230558 [wordpress.org]
What's the point of offering it if they don't use it? Also, their blog has such a terrible noise-to-quality ratio that it's absolutely useless in this regard. All I care about is whether a new version is available or not - I couldn't care less about what new "awesome" features they've added or are trying to add - I just want to update my blog when new versions are released and leave it at that.
Re:the problem with one-click upgrades (Score:4, Insightful)
That problem isn't specific to 1-click updates. It exists equally with 0-click updates (like Firefox's minor updates) and 50-click updates (like WordPress used to have).
You can improve the security of updates by using multiple layers of software protection (e.g. https AND code-signing). You can't improve security by increasing human involvement in the update process and then blaming users who update while the site is hacked. Increasing human involvement just makes it slower and limits the kinds of software protection you can use.
Why people don't update (Score:2, Insightful)
The reason most siteowners are slow or never update is because it's a huge pain in the butt.
This applies to almost all CMS's, forums, and similar software.
While a one-click solution sounds nice, the real problem is that almost any large board has a number of plug-ins and modifications to get it where it needs to be.
Once those mods/plugins are installed, the one-click updates no longer work.
SEO URL's?
Custom themes?
Anti-bot measures?
All of these things can completely render an "easy update" useless.
The people who write this software need to find a way to keep the core code separated from plugins for updates.