back to article Couldn't give a fsck about patching? Well, that's your WordPress website pwned, then

Website admins are urged to update their WordPress installations as soon as possible to the latest version following a rash of attacks exploiting known vulnerabilities in the web publishing software. Researchers at Malwarebytes say miscreants don't appear to be targeting any one specific bug, but rather a full array of flaws …

  1. Anonymous Coward
    Anonymous Coward

    Ah... Another bright sunny day in the

    Internet of Cesspit... Why do we even bother!

    Its either full-on Hacking or full-on Surveillance...

    Which would you like with your Internet sir???

  2. razorfishsl

    Wordpress........ the New Adobe flash.

    1. Anonymous Coward
      Anonymous Coward

      Or ColdFusion

  3. Anonymous Coward
    Anonymous Coward

    "Your OS High Sierra is infected with (3) viruses!"

    I followed one of the infected Wordpress sites using a third party URL scanner that lead me to the warning in the title of my comment that contained official looking Apple icons in the bogus virus warning that warned me I should click the "Scan Now" button which downloaded: "MacCleaner.pkg".

    (I am not using a Mac but the useragent strings I used to spoof said I was.)

    Using the third party URL scanner allowed me to collect a treasure trove of info.

    And as always, these fake virus warnings all have something in common:

    #1 Hosted on Amazons Cloudfront

    #2 Comodo certificates

    #3 Google analytics

    #4 DoubleClick

    It's pretty sad when ordinary citizens are forced to take action against this kind of fraud.

    (I believe I now know why users complaints to Google regarding fake virus warnings that link to bogus "antivirus/cleaner" apps on the Play store are ignored. )

  4. Anonymous Coward
    Anonymous Coward

    Lack of maintance

    Seems many people / organisations get as far as throwing up some site using these tools and then never look after them (or don't know why/how to).

    For example the rucksack club at my university is now showing a listing of "happy ending" massage offers and nobody is at home to sort it out.

    1. Anonymous Coward
      Anonymous Coward

      Re: Lack of maintance

      I suppose this is the next generation of abandonware for the 21st century, I'm not at all surprised, unfortunately.

    2. Primus Secundus Tertius

      Re: Lack of maintance

      I am involved with a small voluntary group which has a Wordpress website. Over the years, we either have nobody who wants to really run our website, or else an enthusiast who takes it in a direction not all of us agree with.

      The site is with a hosting company. We hope they know what they are doing in relation to the problems this article reports.

      1. VinceH

        Re: Lack of maintance

        "The site is with a hosting company. We hope they know what they are doing in relation to the problems this article reports."

        That depends. When you say "a hosting company" do you mean a company that specifically handles (and in your case handled) the installation, set up, and maintenance of WordPress, or do (did) they simply provide all the tools necessary for you to do it all yourself? If the latter, you need to look after it. (You = the group, obvs.)

        1. Primus Secundus Tertius

          Re: Lack of maintance

          @VinceH

          Answer: the former.

          Thanks for your comment, though.

      2. TwistedPsycho

        Re: Lack of maintance

        Depends how much you pay them as to whether they care....

  5. Maelstorm Bronze badge
    Devil

    These scammers do not like me.

    Why? Because one of my hobbies is to trick them into thinking that I am in need of their 'services' when in actuality, I am scamming them. The longer they stay on the phone with me, that is time they can't scam someone else. In some cases, they downloaded and ran programs off my VM that they were connected to and ended up destroying their computer. WannaCry anyone? Hey, if they were legit, they wouldn't be downloading fake word documents titled banking_details.doc.exe with the extension hidden and a word doc icon.

    These fake tech support scammers will syskey your machine and then you have to pay $200-300 to to get the password to unlock your machine. That is how they make money. And a lot of them use iTunes gift cards, and they are mostly out of India...at least that's been my experience.

    1. 9Rune5

      Re: These scammers do not like me.

      banking_details.doc.exe with the extension hidden and a word doc icon.

      Shirely, for that to do any permanent damage, it would need to run elevated. They didn't ignore the elevation prompt, did they?

      I ask, because... Sounds like a fun hobby.

      1. Maelstorm Bronze badge

        Re: These scammers do not like me.

        Oh, it's hilarious. It's been my new form of entertainment for about 3 months now. I learned how to do it by watching youtube videos. Some have links to the tools that they use too.

  6. Pen-y-gors

    No excuse really

    I am not a fan of Wordpress, largely because of the security issues.

    But it can be used in a way that is probably not noticeably less safe than most other systems.

    1. Install a decent security plugin, and switch on all the options (I've been use All in One WP Security) - that will block a lot of nasty attack vectors, and also set things up for AUTOMATIC UPDATE of WP! Jesus! How difficult can it be!

    2. DON'T install those tempting little plugins from god-knows-where. The ones that will turn out to have an interesting hole, 3 years after the sole developer died in a terrible tragedy involving cold soup, a rhododendron and stolen bitcoins.

    3. Only use WP for fairly straightforward sites, ideally brochureware. If it's going to be running e-commerce, look elsewhere.

    4. And if you're paranoid, look out for some really solid hosting. I run a number of shared hosting packages, but keep the WP sites on a separate package so any successful attacks can't access more important stuff.

    1. dmacleo

      Re: No excuse really

      have used the all in one wp alongside decuri plugin and worked well.

      paid securi also had tech support that would work any issues.

    2. FlamingDeath Silver badge
      Facepalm

      Re: No excuse really

      CMS systems are attractive to businesses because it allows some PR bot and other departments to post/edit content without having to know how to use HTML/CSS and or object oriented programming.

      The amount of lines of code to allow for this functionality far outstrips the amount of code needed to produce the same content if it was done by someone who knows how to code it. Straight away I can see that's a problem. It becomes even more of a problem when you factor in pluggins and the fact the popularity of them means they're going to be targeted by automated tools like wpscan and joomscan

  7. EJ

    How hard can it be to keep patched?

    Newer versions of WP simply update themselves, and as far us plug-in updates I get an email notification when a plug-in needs updating, and that's simply logging into the site, clicking 'Updates', and then checking the box for the plugins to update. A minute later, it's all updated. Total time spent updating the site? Literally less than 2 minutes.

    1. Donn Bly

      Re: Ooooh...

      It's not just "newer versions" automatic update - automatic update was introduced in version 3.7, which was released on October 24, 2013. FIVE YEARS AGO.

      Take ANY five year old server OS and there are lots of security issues - why would you expect a web application to be any different?

      If someone is still running something that old then it is obvious that they DON'T have a "web admin" so telling "web admins" that they need do update isn't going to do any good.

      It does, however, create a market opportunity for someone who wants to scan websites looking for potential customers. Nothing illegal as it doesn't require a deep probe, just grab the index and see if there is a "<meta generator=" line with a version of wordpress that is old. If there is one, then you know that (1) they are using an old potentially vulnerable version and (2) they aren't using any kind of security plugin. All you then have to do is convince the site owner that they need an upgrade.

  8. Anonymous Coward
    Anonymous Coward

    SDLC

    Software Development Lifecycle.

    AKA - keeping your shit up-to-date.

    It's not rocket science people.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like