WordPress Vulnerability


Google up inurl:wp-content/1/ [Warning: just google it up, don't visit any of the site in the search results. They are full of activeX viruses!]. This is what I see now:

What you see is a list of sites that were hacked through the latest WordPress Vulnerability that allows hackers to insert spam into your blog.

This is just great. WordPress is the most common blog software out there, and at this minute there are over 90,000 website that were spammed (still counting…) I’m sure that most of these sites owners never heard of this exploit and some of them will probably never will. The damage is enormous. This exploit made them look like spammers in Google eyes, and Google like Google – She never forgets anything. If you are a spammer, you are out of the index in one second.

In my opinion, the best way to deal with these hacks is Active Network Scanning. This kind of services are usually provided by an external company that scans your site for vulnerabilities on a daily basis (like Hacker Safe, but better). Once a new vulnerability is discovered to the world, it is automatically added to their scanning system and is tested on your site. This can definately help you sleep better.

Life shows that there is no way your web site can be safe. It is just the nature of software that it is full of holes. If only you scan your website for vulnerabilities, at least you know about it on time and hope there is something you can do about it…

Important comment: if you are not in this list, it does not mean that you are safe. There are lots of other URLS that were used for this attack… This IS fun!

update: (April 12 2008): Checked again the list, and it seems like most of the hacked pages were removed from Google’s index. It DOES NOT mean that the vulnerability is fixed, it just means that Google had identified that these pages as pages that should be ignored and removed from the index. This is semi good news for those that were hacked and afraid their ranking will go kaput. Just semi because they are still vulnerable and will surly be attacked again in the next wave…

It seems like the number of WordPress vulnerabilities is growing constantly. The most popular blogging software that exists is becoming a huge security hole. In fact, this post is written with WordPress and it feels less secure than ever. This makes me think about moving my blog to blogger or wordpress hosting site, instead of fighting the patches on my own server.

This entry was posted in security, wordpress, world news and tagged , , , . Bookmark the permalink.

26 Responses to WordPress Vulnerability

  1. Jhon says:

    Thanks good information.

  2. Adam says:

    the vulnerability scanner you mentioned in your post looks great but it costs more than I can afford. Do you know if there is anything cheaper out there that can do the same kind of work?
    My website is non commercial, I use it mostly for blogging family and friends, and sepnding $400 a year is too much for me.
    I heard there are free products out there like nessus, but they require me to install them on my server and that is something I don’t want to do.

  3. Mok says:

    I checked that google query and those sites do not appear on google search any more. there are only 90 results, not 90,000. I guess that google also has its own vulnerability scanner and they push aside web pages that were created through this wordpress vulnerability.
    I’m a wordpress user myself and this makes me kind of worried, I do not want my blog to be hacked, but I guess I don’t have too much of a choice, do I…

  4. Bill says:

    wordPress seems to be very unsecure, every now and then there is a new vulnerability.
    I’m not sure if I’ll continue using it due to all this.

  5. applecanada says:

    I thought think tree think up to of my Behind my first

  6. Pingback: nion's blog

  7. Shpook says:

    Blacklists and scanning for vulnerabilities is a dumb thing to do. What WP devs should do is fix WP from the ground up. Any particular type of vulnerability should be the first and last of its kind, ideally.

  8. yair says:

    Shpook,
    I agree with your theory that making software secure by design is much better than test software for vulnerabilities, but in my opinion this is just a theory, not more than that. Until software is secure, what would you do if you were a webmaster running Apache, PHP, MYSQL and a few ready made blog, forum, cms packages? would you fix the bugs? How? Isn’t it easier to run a watchdog that will tell you when something is wrong?

  9. Pingback: ¿Vacaciones?

  10. Typolight says:

    Thanks, you nice post that helped me alot.

  11. Excelent blog and comments. Thanks and best regards Private Krankenversicherung

  12. John says:

    Always a Vulnerability out there. Just when you get one fixed and sorted out bam along comes another. It’s never ending. All you can do is keep up to date and follow security, exploits, and vulnerabilities.

  13. Maxim says:

    Thanks for the info!

  14. Webmaster says:

    Woow, I just found about this exploit by reading it here. I am upgrading and checking everything tonight, just in case.

    Thanks for sharing

  15. Istoselidon says:

    Great article and informativ. I have this bookmarked. Thanks

  16. Finally the pwnie award nominations are out, a bit late though.

    Of course Debian also got its nomination for the infamous openssl issue in the Most Epic FAIL category as well as one nomination for Luciano for discovery of this in the Mass0wnage se…

  17. Murali says:

    I’m new to bloggong & My blog is about basics of Software Testing,Manual Testing,SDLC,Testing Techniques,Levels of Testing,Types of Testing,Test Planning,Test Execution,Test Development,Bug Tracking,Result Analysis,Test Design Techniques and QTP. so I write about that which I know.Give it a visit if you get a chance..
    feel to free to visit:http://softwaretesting-guide.blogspot.com/
    Regards,
    Murali

  18. Always a Vulnerability out there. Just when you get one fixed and sorted out bam along comes another. It’s never ending. All you can do is keep up to date and follow security, exploits, and vulnerabilities.

  19. Jmac says:

    WP can be very secure you just need to know how to set it up. Regardless of platform there will always be security issues.

    -j

  20. Edz Hye says:

    Thats crazy the hacking was so wide spread

  21. I’m new to WordPress. Currently I’m using WP 2.7.1. Do you guys know if the security issue mentioned in this article has been resolved?

  22. sweety says:

    I can understand why it made sense to build your own blog a few years ago but WordPress has come a long way in the past few years. It may have been a bit limited before but as you point out, a community of developers adding plugins and feedback have helped it grow and its really more of a CMS than the simple blogging tool it once was

  23. Thats crazy the hacking was so wide spread – Thanks

  24. mchammer says:

    Love the blog mate, keep up the good work – I’ll definitely recommend your blog to some friends of mine ^^

  25. Wow ! I didn’t know that ! I should change my blog password…

  26. adamoerikom says:

    Stunning blog and good article. High 5 for u man !

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>