wordpress security
|
View:
New views
20 Messages
—
Rating Filter:
Alert me
|
| < Prev | 1 - 2 - 3 - 4 | Next > |
 |
wordpress security
by Sharon Chambers
::
Rate this Message:
I had a site go down last night, and I think it’s a domain problem; however, when I was on tech support with my hosting provider last night, he mentioned more than once that Wordpress had some major security issues.
I was just wondering if any of you could expound on any security issues of which you might be aware? Of particular concern to me is the fact that right before it went down, my functions.php file had been truncated TO THE SCREEN. In other words, the last 10-15 lines of my functions.php file were echoed to the screen (including <?php ?> tags!!), something I’ve NEVER seen happen before. Thanks for any advice. Sharon Chambers Webmaster brewer media 1305 Carter Street Chattanooga, TN 37402 (423)242-7652 office (423)266-2335 fax Sharon@... Brewer Broadcasting: Power 94.9 | Groove 93.7 | ESPN Chattanooga 105.1 | Pulse News 95.3 Brewer Interactive: BOGONooga.com | ChattanoogaLivesGreen.com | ChattanoogaHasFun.com | ChattanoogaHasCars.com | ChattanoogaHasTravel.com | ChattanoogaCrime.com Brewer Publishing: ChattanoogaPulse.com, The Pulse - Chattanooga's Alternative Weekly Newspaper Chattanooga Traffic Network: 17 Radio Stations | 3 Television Stations | Traffic Reports & Sponsorships _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: wordpress security
by Thomas Belknap
::
Rate this Message:
Sharon,
I would say that right before your system went down, the PHP interpreter borked and you got that output. I have never seen that happen with WordPress, nor can I think of a way that it might. I'll leave it to others more knowledgeable on the security in's and out's to describe security in detail. But every piece of software has security issues from time to time and WordPress is no different. WordPress is frequently updated to patch these holes, but not everything is caught. That's development for you. But I doubt if anything as nuanced as this is what the tech was talking about. I suspect, as a person whose done time on the phones, that the tech was stumped and looking for an excuse to not blame his company. On Fri, Oct 16, 2009 at 9:24 AM, Sharon Chambers <sharon@...>wrote: > I had a site go down last night, and I think it’s a domain problem; > however, when I was on tech support with my hosting provider last night, he > mentioned more than once that Wordpress had some major security issues. > > I was just wondering if any of you could expound on any security issues of > which you might be aware? Of particular concern to me is the fact that > right before it went down, my functions.php file had been truncated TO THE > SCREEN. In other words, the last 10-15 lines of my functions.php file were > echoed to the screen (including <?php ?> tags!!), something I’ve NEVER seen > happen before. > > Thanks for any advice. > > Sharon Chambers > Webmaster > brewer media > 1305 Carter Street > Chattanooga, TN 37402 > (423)242-7652 office > (423)266-2335 fax > Sharon@... > Brewer Broadcasting: > Power 94.9 | Groove 93.7 | ESPN Chattanooga 105.1 | Pulse News 95.3 > Brewer Interactive: > BOGONooga.com | ChattanoogaLivesGreen.com | ChattanoogaHasFun.com | > ChattanoogaHasCars.com | ChattanoogaHasTravel.com | ChattanoogaCrime.com > Brewer Publishing: > ChattanoogaPulse.com, The Pulse - Chattanooga's Alternative Weekly > Newspaper > Chattanooga Traffic Network: > 17 Radio Stations | 3 Television Stations | Traffic Reports & Sponsorships > > _______________________________________________ > wp-hackers mailing list > wp-hackers@... > http://lists.automattic.com/mailman/listinfo/wp-hackers > wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: wordpress security
by Hal Burgiss
::
Rate this Message:
On Fri, Oct 16, 2009 at 09:24:00AM -0400, Sharon Chambers wrote:
> I had a site go down last night, and I think it’s a domain problem; > however, when I was on tech support with my hosting provider last night, he > mentioned more than once that Wordpress had some major security issues. What versions did he mention? Way older ones yes, newer ones none of significance (that have surfaced). The good thing about the internet is that anybody can say anything. The bad thing about the internet is that anybody can say anything. There is always things like weak passwords and loose file permissions, but that is nothing about WP in particular. I run about 30 sites based on WP and have had zero problems for quite a while. A few of these are < 2.5 (patched/upgraded piecemeal). Most are 2.6 or 2.7 (difficult to upgrade for various reasons). -- Hal _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: wordpress security
by Otto-19
::
Rate this Message:
The latest version of WordPress has no currently known security
problems. However, that doesn't mean there are not unknown ones. It's like this: Any piece of software can have bugs. When the WordPress team finds one, or is alerted to one, they fix it and eliminate the problem. In the case of security issues, that usually results in an immediate security fix release. 2.8.3 and 2.8.4, for example, were security releases, to fix just found issues. However, a security release only works if you actually upgrade. A surprising lot of people don't. Also consider that WordPress is a high profile target. A *lot* of websites out there use it. So a security hole in WordPress, especially an exploitable one, gets attacked by malicious people almost immediately, and en masse. So when a release to fix a security hole comes out, malicious people create code to exploit it and start trying to mass-hack as many sites as they can. Recently (last month), there was a lot of people getting their sites hacked. The hackers exploited a problem that existed in WordPress 2.8.2 (and which was fixed in 2.8.3). WordPress was already up to version 2.8.4, so the only people who got really hit hard were those who failed to upgrade. WP 2.8.3 came out in August, so there was a good month or two of lead time before hackers actively exploited the problem that had already been fixed. Why didn't people upgrade within that month? Good question. As long as you upgrade early and often, there's no WordPress-specific security issues you generally have to worry about. There are other ways to hack websites though, and most of them don't involve WordPress. Somebody can still get in your site and take it over through some other means, so security on all other aspects of the server environment must be watched as well. If you get hacked, don't immediately jump to a conclusion as to how it occurred, because the odds against it attacking via a fully-up-to-date WordPress are slim. Since I've been using WordPress, I have yet to see any zero-day exploits against it occur. It's always been something targeting older versions and people who failed to upgrade. -Otto Sent from Memphis, TN, United States _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: wordpress security
by Nathan Rice
::
Rate this Message:
I'm sure this has been mentioned before (elsewhere), but it's important to
note that not all WordPress users log into their dashboard every day, and the vast majority of WordPress users don't subscribe to any RSS feed that would indicate that WordPress needs to be upgraded. The automatic updates are fantastic, and are a huge step in the right direction, but an alert system needs to be put in place so that as soon as your WP install notices there's an upgrade available, it needs to email the Admin. (Forgive me if this is already in motion for the next version. If it is, then congratulations for being proactive in this regard.) ------------------ Nathan Rice WordPress and Web Development www.nathanrice.net | twitter.com/nathanrice | www.modthemes.com On Fri, Oct 16, 2009 at 10:25 AM, Otto <otto@...> wrote: > The latest version of WordPress has no currently known security > problems. However, that doesn't mean there are not unknown ones. > > It's like this: Any piece of software can have bugs. When the > WordPress team finds one, or is alerted to one, they fix it and > eliminate the problem. In the case of security issues, that usually > results in an immediate security fix release. 2.8.3 and 2.8.4, for > example, were security releases, to fix just found issues. > > However, a security release only works if you actually upgrade. A > surprising lot of people don't. > > Also consider that WordPress is a high profile target. A *lot* of > websites out there use it. So a security hole in WordPress, especially > an exploitable one, gets attacked by malicious people almost > immediately, and en masse. So when a release to fix a security hole > comes out, malicious people create code to exploit it and start trying > to mass-hack as many sites as they can. > > Recently (last month), there was a lot of people getting their sites > hacked. The hackers exploited a problem that existed in WordPress > 2.8.2 (and which was fixed in 2.8.3). WordPress was already up to > version 2.8.4, so the only people who got really hit hard were those > who failed to upgrade. WP 2.8.3 came out in August, so there was a > good month or two of lead time before hackers actively exploited the > problem that had already been fixed. Why didn't people upgrade within > that month? Good question. > > As long as you upgrade early and often, there's no WordPress-specific > security issues you generally have to worry about. > > There are other ways to hack websites though, and most of them don't > involve WordPress. Somebody can still get in your site and take it > over through some other means, so security on all other aspects of the > server environment must be watched as well. If you get hacked, don't > immediately jump to a conclusion as to how it occurred, because the > odds against it attacking via a fully-up-to-date WordPress are slim. > Since I've been using WordPress, I have yet to see any zero-day > exploits against it occur. It's always been something targeting older > versions and people who failed to upgrade. > > -Otto > Sent from Memphis, TN, United States > _______________________________________________ > wp-hackers mailing list > wp-hackers@... > http://lists.automattic.com/mailman/listinfo/wp-hackers > wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
|
|
|
Re: wordpress security
by Otto-19
::
Rate this Message:
On Fri, Oct 16, 2009 at 9:33 AM, Nathan Rice <ncrice@...> wrote:
> I'm sure this has been mentioned before (elsewhere), but it's important to > note that not all WordPress users log into their dashboard every day, and > the vast majority of WordPress users don't subscribe to any RSS feed that > would indicate that WordPress needs to be upgraded. True, but an automatic email notification to the admin would just have lots of people asking us how to turn it off. You can't make people do something they don't want to do. If they don't want to be active about it, then continuously annoying them ain't gonna do it. If somebody wants to get a notification of new releases, then here's the feed you'll want to subscribe to: http://wordpress.org/development/category/releases/feed/ Promote that feed however you like. Create automated emails based on it if you wish. -Otto Sent from Memphis, TN, United States _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: wordpress security
by Nathan Rice
::
Rate this Message:
On Fri, Oct 16, 2009 at 11:02 AM, Otto <otto@...> wrote:
> True, but an automatic email notification to the admin would just have > lots of people asking us how to turn it off. > Then give them a way to turn it off. > > You can't make people do something they don't want to do. If they > don't want to be active about it, then continuously annoying them > ain't gonna do it. > I wouldn't call it an annoyance, any more than the update notifier at the top of the dashboard is annoying. If WordPress wants to save its reputation from people who blame every exploit in it, then it needs to do everything possible to get people to upgrade. If the user turns off email notifications, then at least they can't blame WordPress. There needs to be a way people can receive notifications passively, without having to actively seek them out (logging into the dashboard, subscribing to a feed, etc.). Instead of berating people for being normal and non-geeks, why not just give them a useful feature that will help them stay secure. What's the harm in that? > > If somebody wants to get a notification of new releases, then here's > the feed you'll want to subscribe to: > http://wordpress.org/development/category/releases/feed/ > > Promote that feed however you like. Create automated emails based on > it if you wish. > > Never gonna happen. And I don't blame them. If I was just a WP user, and not in the business full-time, I doubt very seriously that I would 1. log into my dashboard every day or 2. subscribe to a WP RSS feed. And because of that, I would be at risk. Why not just eliminate that risk? _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
|
|
|
Re: wordpress security
by scribu
::
Rate this Message:
On Fri, Oct 16, 2009 at 6:10 PM, Nathan Rice <ncrice@...> wrote:
> On Fri, Oct 16, 2009 at 11:02 AM, Otto <otto@...> wrote: > > > True, but an automatic email notification to the admin would just have > > lots of people asking us how to turn it off. > > > > Then give them a way to turn it off. > There's already a plugin that emails the admin when a new version is available: http://wordpress.org/extend/plugins/upgrade-notification-by-email/ -- http://scribu.net _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: wordpress security
by Nathan Rice
::
Rate this Message:
On Fri, Oct 16, 2009 at 11:19 AM, Sharon Chambers <sharon@...>wrote:
> > I would call it annoyance. Anyone professing themselves to be website > admin should be logging into their dashboard on occasion, and anyone failing > to do so has no one but themselves to blame for security threats. > > I fail to see why a non-geek web admin would be considered "normal" at any > rate. > > That's exactly the attitude that gives WP the reputation it has for security. That everyone who uses WP is a professional and should be responsible not only to upgrade their install every time a new version comes out, but should also be proactive about checking for upgrades. Now, personally, I believe they SHOULD do both of those things. But I live in reality, where they WON'T do both of those things. So, we can either sit cross-armed and blame the stupid users, or we can continue to provide them with tools that anticipate their lack of provocativeness, like a simple email notification. And no, a plugin won't suffice. It's a extra step that most users won't take. _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: wordpress security
by Jeff Chandler-2
::
Rate this Message:
I'm with Nathan on this one. I don't see the harm in having WordPress
email the site administrator as one additional way of being notified of an upgrade when the site detects it's available. This would be especially useful for mobile users as email is a much nicer and accessible way to this information considering logging into the dashboard from a mobile device sucks or is impossible. This would be one more way of eliminating the excuse that they were not notified in time of the upgrade. When I first started using WordPress, I signed up to the WordPress Announcements mailing list because I wanted to be notified of when a new update was available via Email because I check email 100 times a day versus RSS feeds or the dashboard. Well, that list is as good as dead. The only time I've received an email from that list is a big announcement email regarding WordPress 2.7 from Matt Mullenweg. That's it, in the span of two years. So this would turn the WP Announcements mailing list into something automated controlled by the blog owner for the site administrator since the middle man ain't cutting it anymore. _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: wordpress security
by Jeremy Clarke
::
Rate this Message:
On Fri, Oct 16, 2009 at 11:27 AM, Nathan Rice <ncrice@...> wrote:
> On Fri, Oct 16, 2009 at 11:19 AM, Sharon Chambers <sharon@...>wrote: > And no, a plugin won't suffice. It's a extra step that most users won't > take. I have to say +1 on this idea. It would be a simple step to add a checkbox during installation that says something like [x] Email me when WordPress needs to be updated so it can stay secure. I know that in my own case this would generate at least a dozen emails in my inbox and I'd groan and sigh and complain, but that's what I *need to do*. We're all riding this roller coaster of security because we think WP is worth it, but there's a price. Solving the security problems with WP probably *needs* to be annoying, otherwise it won't get us to do the work we need to do to improve the situation. P.S. Sharon, can you please do something about your email signature, its so frikkin' long, it drives me crazy. Maybe cut it down for mailing list postings? -- Jeremy Clarke | http://jeremyclarke.org Code and Design | http://globalvoicesonline.org _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: wordpress security
by g30rg3_x-2
::
Rate this Message:
2009/10/16 Nathan Rice <ncrice@...>:
> That's exactly the attitude that gives WP the reputation it has for > security. That everyone who uses WP is a professional and should be > responsible not only to upgrade their install every time a new version comes > out, but should also be proactive about checking for upgrades. Excuse me but, isn't that the actual objective to be running a self-hosted wordpress blog instead of one in wordpress.com? so you can control upgrades, plugins, themes, ...? IMHO, admins that does not want to take matter on their own hands should be using one hosted at wordpress.com instead of a self-hosted one... > Now, personally, I believe they SHOULD do both of those things. But I live > in reality, where they WON'T do both of those things. > > So, we can either sit cross-armed and blame the stupid users, or we can > continue to provide them with tools that anticipate their lack of > provocativeness, like a simple email notification. There is the wordpress development blog feed, the wordpress planet feed, the hundred of wordpress-fanatics feeds in lots of languages just talking about wordpress development and of course news and security alerts, which you can use with your preferred feed reader. If that isn't enough you can made (or find one like the one linked by scribu here) your own plugin and stay up-to-date with notifications (cause you should also consider not only wordpress update notifications also you should consider plugins updates notifications in your wordpress security-plan) about upgrades/updates. Still not convinced? Then go to core.trac.wordpress.org/timeline were you can review all the changes made by the wp-dev-team (it also has feed, so you can be always update-to-date with the wordpress changes, tickets, milestones...). So, you could just sit cross-armed and blame the wordpress dev-team for not providing enough tools for update notifications or well actually code a plugin and then propose the core integration of the functionality (which is actually the way that wordpress consider new features). > And no, a plugin won't suffice. It's a extra step that most users won't > take. As i say before... if and a admin does not want to take matter on their own hands then it should consider be using one hosted at wordpress.com (almost always the bleeding edge of the wordpress-core). There are lots of ways a wordpress-based site could be broken besides wordpress itself as i say, you have the plugins, the themes, the php-interpreter, 3rd-party-sites in a shared hosting environment, services misconfiguration, weak passwords, ... just to enumerate the most well-know direct and indirect attacks. As for the core integration proposal... +1 if the update notification email also consider plugins in the notification. -1 if it will only be just the wordpress core updates. Regards PS: Pardon me, my really bad mexican-english. _________________________ g30rg3_x _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: wordpress security
by Thomas Scholz-4
::
Rate this Message:
Jeremy Clarke:
> On Fri, Oct 16, 2009 at 11:27 AM, Nathan Rice <ncrice@...> wrote: >> On Fri, Oct 16, 2009 at 11:19 AM, Sharon Chambers >> <sharon@...>wrote: >> And no, a plugin won't suffice. It's a extra step that most users won't >> take. > > I have to say +1 on this idea. Me too. > I know that in my own case this would generate at least a dozen emails > in my inbox and I'd groan and sigh and complain, but that's what I > *need to do*. I'd get a lot of mails too, and this is one reason why I would find it helpful: I would not forget one of the blogs where I'm the admin and not an author. Thomas -- Redaktion, Druck- und Webdesign http://toscho.de · 0160/1764727 Twitter: @toscho _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: wordpress security
by Otto-19
::
Rate this Message:
Question to those of you who like this idea of emailing the admin for
upgrade notification: Are you currently using this plugin? http://wordpress.org/extend/plugins/upgrade-notification-by-email/ If not, why not? -Otto Sent from Memphis, TN, United States _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: wordpress security
by Nathan Rice
::
Rate this Message:
On Fri, Oct 16, 2009 at 1:29 PM, Otto <otto@...> wrote:
> Question to those of you who like this idea of emailing the admin for > upgrade notification: > > Are you currently using this plugin? > http://wordpress.org/extend/plugins/upgrade-notification-by-email/ > > If not, why not? > No, because I subscribe to all the WordPress feeds, random WP-related blogs, and follow countless people on Twitter that are happy to notify me when a new version is released. I don't need to be alerted by email. Plus, I don't use the automatic upgrade feature. All my blogs are updated via SVN once per hour. I'm not normal. _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
|
|
|
Re: wordpress security
by scribu
::
Rate this Message:
On Fri, Oct 16, 2009 at 8:49 PM, Bryan Spahr <bryanspahr@...> wrote:
> > > > > > So, we can either sit cross-armed and blame the stupid users, or we can > > continue to provide them with tools that anticipate their lack of > > provocativeness, like a simple email notification. > > > > And no, a plugin won't suffice. It's a extra step that most users won't > > take. > > > > > > > +1 for the real world perspective > > This idea has been proposed before, so I'll second: have an option to > "send > email to the admin when there is an upgrade available", along with a > configurable interval to send repeat / reminder emails. > I agree that a checkbox somewhere wouldn't hurt. So, anyone up for a patch on trac? Post the ticket number back here. -- http://scribu.net _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
|
|
Re: wordpress security
by Jeremy Clarke
::
Rate this Message:
On Fri, Oct 16, 2009 at 1:29 PM, Otto <otto@...> wrote:
> Question to those of you who like this idea of emailing the admin for > upgrade notification: > > Are you currently using this plugin? > http://wordpress.org/extend/plugins/upgrade-notification-by-email/ > > If not, why not? I don't use it because in my 5+ years of using WP and installing it all over the place I've worked out lo-fi systems (i.e. a text file) where i list all the WP installs I'm responsible for and their versions. When there is an update I learn about it on Twitter (because I follow tons of WP people, not something I recommend to normal users) and know to reconsider my text file and try to keep them all up to date. So I personally don't really need the plugin or the feature. I'd still use it, but going back to the old installs and installing the plugin is more than its worth for me. Others among us might use automatic svn or have special bash scripts or WP plugins that keep track of multiple installations instead of my wimpy text file. These are all great solutions for experts who have experience and know what they're doing, but there needs to be more pressure on newbies to pick up the importance of updating, and telling them to install another plugin is a pretty innefective way IMHO. It feels to me like preaching to the choir: if you know enough to install plugins like that then you probably know its important to stay up to date and have experience. I mean, how many of us have been hacked at some point? I have multiple times, that's how I learned (and I still don't always update fast enough!), if WP wants to improve its image it has to start annoying people BEFORE they are hacked, not after. -- Jeremy Clarke | http://jeremyclarke.org Code and Design | http://globalvoicesonline.org _______________________________________________ wp-hackers mailing list wp-hackers@... http://lists.automattic.com/mailman/listinfo/wp-hackers |
| < Prev | 1 - 2 - 3 - 4 | Next > |
| Free embeddable forum powered by Nabble | Forum Help |
