*** WARNING, WATCH YOUR WP SITES ***

... and as I've been saying about Wordpress' "Security, what's that" construction:

http://arstechnica.com/security/201...usands-of-wordpress-sites-to-infect-visitors/

"I saw this coming months ago" -- there's a REASON I call it turdpress.

Actually, that's not fair -- there's several HUNDRED reasons.

 

Well... I feel it a bit unfair to blame this solely on Wordpress. This is most likely due to plugins not being updated or being insecure by default - and given that most people have no clue about the plugins they install, that's not very uncommon.
Given that many hosts doesn't allow for the auto-update of Wordpress to run either, you end up with outdated software run by incompetent admins with glaring security holes scattered around.
But, as for this particular problem, it's probably not Wordpress' fault (except for being popular and used by "everyone").

 

Oh, there's plenty of blame to go around on it, but really the whole thing reeks of "for people who know nothing about websites, BY people who know nothing about websites".

Whilst certainly the majority of reported vulnerabilities as of the release of WP 3.x are indeed opened by the plugins, the utter and complete lack of security and broken methodologies that allow WP to even have mods/plugins/whatever in the first place are just as at fault. There have also been some REAL doozies recently in WP itself:

* was going to link to the ndist CVE for it here, but the stupid bloated train wreck of asshattery known as Xenforo complains the link doesn't respond in time. Seriously who the **** thought that was a good idea? Here's a crappy mirror instead:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress

"older versions" certainly, but how many plugins has 4.x broken resulting in people not upgrading? It's starting to remind me of phpBB 2.x where the software itself lacked so much of the "basic" functionality people expected their forums to have (like avatars and attachments) people loaded up on mods/plugins/extensions/whicheverWordIsTrendyRightNow that neutered the upgrade path without breaking that functionality - suddenly 90% of phpBB installs were six months to a year behind and the neverNoSanity (aka Santy) worm en-masse took down two-thirds the Internet. Even if you weren't running phpBB yourself the massive security holes that there had been a months-old patch for would take you down if you so much as dared be on the same server where someone else was running it. (admittedly, cheap VPS was a pipe-dream back then and everyone was on shared).

This one while spreading fairly quickly doesn't quite have that "perfect storm" scenario to it -- but that's sure as shine-ola NOT got anything to do with Wordpress itself.

The multiple entry vectors, utter and complete lack of security inside the "one wall" approach to app design, means that should a hole appear, the hacker basically has the master key to every lock in the kingdom. The mere notion of "don't let library files return anything if values are called directly" and "restrict the scope of the database connection" (one of the many reasons to switch away from mysql_) seem to be utterly and completely alien concepts to the people who wrote it. Instead of layered security, good scope practices and proper use of include restrictions, it blindly allows anything to be called from anywhere, as evidenced by the ABSOLUTE MOUTH BREATHING DUMBASS BULLSHIT of storing the DB HOSTNAME, USERNAME and PASSWORD in DEFINE!!!

Really the PHP for wordpress should make anyone who knows the first damned thing about PHP recoil in just as much horror as how anyone who knows the first damned thing about HTML should recoil in horror to what it vomits up and has the giant pair of donkey brass to call markup!

It's got a giant expensive razor-wire fence around it akin to what some of the right wing-nuts want to build around America, but every quarter mile they cheaped out and instead of patching holes where the ground washed out beneath it, they just slapped in some chicken mesh and bailing wire that one good punch could knock free.... and that's their idea of the be-all end-all of security since it doesn't even have locks on the doors or anyone guarding it once you're inside the perimeter.

From top to bottom it reeks of "Security, what's that?" -- just as what it outputs has a nasty case of "HTML, what's that?", "Semantics, what's that?", "Cascading, what's that?" and "WCAG, what's that?"

Which is why IMHO turdpress and pretty much everything built with it amounts to little more than nube bait for people who just don't know any better. People calling themselves "professionals" who deploy turdpress for others being giant sleazeball scam artists, even if they are unaware of it.

 

That's scary.

I am interested to know if the security problems pertains only to WP or other PHP, Python, Ruby & JS Frameworks too. But yeah, increasingly more people are blindly using plugins for everything and anything in WP. Maybe WP ought to do a screening for the plugins, akin to what apple does for their apps?

 

WordPress have hundreds, or thousands of plugins - keeping a "close eye" on them will probably not be possible, unless WordPress starts doing micropayments for getting your plugin "vetted" - since most plugins are free, that won't give much back to the developer. Currently, I don't think the business-plan allows for such a check.

Wordpress is not a framework, btw. It's a CMS, which allows for a lot of customization and using plugins, but it's not a framework. As for security issues in actual frameworks, they're as apparent there as they are in the plain versions of the language used - there is no guarantee that the framework's functions and classes are secure, and how you use them decides how secure your site is in general. Which is pretty much the same as for using plain PHP or JS or whatever flavor of code you wanna use that week. You can build a 100% secure site using regular PHP, or you can build a trainwreck of horrible solutions using exactly the same version of PHP, just not using it right.

The good thing about a framework, at least if it's popular and in use, is that problems and issues gets reported, and usually fixed. Building a plain website, the only ones gonna see the code is you (or your team) which doesn't bode well for discovering obscure bugs.