back to article Patch your WordPress plugins: Scum are right now hijacking blogs

The plugin gurus at WordFence have this week found three critical security holes in third-party WordPress extensions that are being actively exploited by hackers to take over websites. The team was investigating a number of hacking attacks that looked unusual and back-traced the intrusions to a PHP object injection …

  1. a_yank_lurker

    Oh Joy?

    Is WordPress becoming the new Adobe Flash?

    1. stizzleswick
      Boffin

      Re: Oh Joy?

      Nope. With Flash, fixes took up to a month to appear. Just keep your WP sites up to date, and you're relatively safe. Security best practices assumed to have been followed, of course, such as not having an admin account with the username "admin" and "pa55w0rd" for a password. But that is hardly something one could blame on Wordpress.

      1. Pomgolian
        FAIL

        Re: Oh Joy?

        >not having an admin account with the username "admin"

        With the delightful new and shiny REST API, a complete list of user names can be exposed simply by poking the URL:

        example.com/wp-json/wp/v2/users

        unless you've been wise enough to install a plugin that blocks access for unauthenticated users

        1. Justin Case

          Re: Oh Joy?

          >> a complete list of user names can be exposed simply by poking the URL:

          Yikes!! Sometimes I wonder why I bother, I really do. What a POS.

        2. VinceH
          Unhappy

          Re: Oh Joy?

          "example.com/wp-json/wp/v2/users"

          Oh, FFS!

          I have three WP installations, and I've wanted to migrate away from it for a long time. Two would be easy to deal with, but I've held back because of the third - which is huge and would be a big job. But with stupid shit like that, it looks like I'm going to have to find some time, which is in VERY short supply, to start looking at this.

          (The one mitigation is that the only user accounts are my own.)

          Thanks for the heads up.

        3. stizzleswick
          Boffin

          Re: Pomgolian

          "unless you've been wise enough to install a plugin that blocks access for unauthenticated users"

          I thought I had implied that by saying security best practices were to be followed.

        4. charlie-charlie-tango-alpha

          Re: Oh Joy?

          It's worse than that. Try example.com/wp-json/ or wp-json/wp/v2 etc.

          This is best blocked by installing the "disable REST API" plugin. See:

          https://wordpress.org/plugins/disable-json-api/

      2. wolfetone Silver badge

        Re: Oh Joy?

        "Nope. With Flash, fixes took up to a month to appear. Just keep your WP sites up to date, and you're relatively safe. Security best practices assumed to have been followed, of course, such as not having an admin account with the username "admin" and "pa55w0rd" for a password. But that is hardly something one could blame on Wordpress."

        What about ordinary Joe Soap who spent thousands for some agency to build their WordPress site and the agency don't do updates because it costs them time that they can't charge the customer?

        1. Captain Scarlet Silver badge

          Re: Oh Joy?

          "What about ordinary Joe Soap who spent thousands for some agency to build their WordPress site and the agency don't do updates because it costs them time that they can't charge the customer?"

          We require to host all our sites (Then we know what sites are there, domains are used, etc.. obviously until they can't be bothered and slap their domain on a crap web host, when we find out they wonder why we are fuming they paid stupid amounts of money on a website noone has control over and the domain isnt even officially owned by the company). We will request the agency then keeps the site up to date whilst we host this (Making Marketing aware they are paying the agency for it), if they fail to do so demand a login and do it ourselves (Ensuring time is logged and cross charged to Marketing), when the marketing agency need to do work, take a backup of the database and files and supply it to them.

          So far I am only happy with one agency used, as they actually do apply updates faster than we are able to.

          1. wolfetone Silver badge

            @Captain Scarlett

            That's the right thing to do. But this doesn't happen all the time. And if it does agencies can ask or "sell" the updates to the client. If the client refuses then fine, it carries on running but when it keels over they then pay for the recovery of the site. How that's done is up to them, but I know I worked for a place that charged the client for an "emergency rebuild" and basically recovered it from a backup.

            Sad story is, a lot of customers who want a website want it for nothing, and those customers go to these agencies who will screw them over. We talk of PPI and car loans being a ticking timebomb for financial industries, but I think the way agencies operate when it comes to websites based on frameworks (Magento, WordPress etc) is another timebomb in itself.

  2. Outer mongolian custard monster from outer space (honest)

    Wonder if I'm still going to get downvoted for saying to deploy wordpress as a static site after exporting it with wp-static and deploying THAT on the hosting proper, and keeping the whizzy cms bit hidden on a deployment intranet server?

    I like these alerts though, reminds me to go update the plugins for my wpscan tool.

  3. nickx89

    unfortunately

    The very first step to website security is to keep it updated every time. But, unfortunately most of the plugins people use are 'cracked' which they cannot update or if they purchase, they are too lazy to update it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon