HardOCP News
[H] News
- Joined
- Dec 31, 1969
- Messages
- 0
It might be a good idea to avoid any Wordpress sites you normally visit until they get this whole malware thing worked out.
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Mysterious Malware Is Infecting 100k Wordpress Sites
- Thread starter HardOCP News
- Start date
CreepyUncleGoogle
Supreme [H]ardness
- Joined
- Mar 10, 2013
- Messages
- 6,871
I wonder if the blog I pretend to write is infected. I've always imagined it would be a Wordpress one if it actually ever existed.
westrock2000
[H]F Junkie
- Joined
- Jun 3, 2005
- Messages
- 9,433
Queue Wolf Blitzer blaming North Korea in 5..4..3..2..
I am thinking to do the same thing. Much easier...Fuck Wordpress. For my company's blog (that we update like 2x a year), I spent two days writing a mostly static replacement for wordpress; best two days investment ever.
DarkStar02
2[H]4U
- Joined
- Mar 1, 2006
- Messages
- 2,144
The exploit came out a while ago, it's surprising that there were still 100k+ websites were out there that were vulnerable. I checked a few weeks ago after reading about it and a bunch of sites showed up with a basic Google dork for a theme that was bundled with the slider. Most of them wouldn't return the contents of wp-config but a few did. I'm assuming someone probably made a comprehensive list of themes that came with the slider and wrote a script to automate the pwning process.
B00nie
[H]F Junkie
- Joined
- Nov 1, 2012
- Messages
- 9,327
Was the website telling about this exploit also a wordpress blog?
- Joined
- Jun 27, 2001
- Messages
- 15,814
90% of wordpress "hacks" are actually plugin hacks, sooooo don't run any plugins, problem solved
Wordpress is great...as long as you keep on top of it. One of the reasons Wordpress is 'sold' and is so popular is that the owner can update and mange it themselves without having to go back to the web designer to do it.
Many website owners ask for that very functionality.
However, in reality very few ever actually do maintain and update their sites once handed over. So their version of Wordpress gets out of date and usually hacked as a result.
The web designer who monitors such things just in case will notice this, sigh or smile and wait for the customer to call back begging them to fix it all once they notice (if they ever do).
Once again the weak link is the human one.
Many website owners ask for that very functionality.
However, in reality very few ever actually do maintain and update their sites once handed over. So their version of Wordpress gets out of date and usually hacked as a result.
The web designer who monitors such things just in case will notice this, sigh or smile and wait for the customer to call back begging them to fix it all once they notice (if they ever do).
Once again the weak link is the human one.
oROEchimaru
Supreme [H]ardness
- Joined
- Jun 1, 2004
- Messages
- 4,662
I had an inception dream on this last night. I yelled at my wife for having this slideshow on my wordpress blog and she told me it was just a dream. Then I had another dream where it was on my website.
Lol.
Lol.
Oh my god this is getting ridiculous and the misinformation about Wordpress is amazing.
A) The problem was with a specific plug-in that is extremely popular and well maintained. Unless someone had not updated their site for a long time, the vulnerability was patched ages ago (many months) but news spread out now.
B) The fact that it is so easy to keep a WP installation up to date but still, there were so many sites affected makes me believe that some people wanted that to happen (i.e. web authors vs clients). The vast majority of those sites' designers had received notifications on freaking time to update the plug in and they seemed to ignore it deliberately or not. I did not, although I was already up to date.
C) There is a huge library of security tools (free and paid) for wordpress yet most people don't use them.
I currently building a site for example that aside the fact that it does not look like wordpress at all, visitiors won't be able to see it is Wordpress even by inspecting the source code. Yes you can hide that too.
Honestly, this has nothing to do with Wordpress but with the way some people manage their sites.
Finally, I am using Wordpress + plugins + JS scripts + html + CSS to build very powerful web sites that can do things costing 10s of thousands if going the custom development route. So basically, there is no way one can replace it on their own with any home made solution unless they want to do the most basic stuff and it will still be lacking in a million ways compared to what Wordpress is capable of. It's not easy to compete with the huge library of plug-ins and add-ons the WP has to offer and no other CMS comes even close to that.
BTW - the Irony - Sony uses Wordpress in several of their sites and although most of their systems have been hacked in every possible way, I am not aware of any hack to their Wordpress Sites. If anyone is aware of such incidents I would be glad to know.
A) The problem was with a specific plug-in that is extremely popular and well maintained. Unless someone had not updated their site for a long time, the vulnerability was patched ages ago (many months) but news spread out now.
B) The fact that it is so easy to keep a WP installation up to date but still, there were so many sites affected makes me believe that some people wanted that to happen (i.e. web authors vs clients). The vast majority of those sites' designers had received notifications on freaking time to update the plug in and they seemed to ignore it deliberately or not. I did not, although I was already up to date.
C) There is a huge library of security tools (free and paid) for wordpress yet most people don't use them.
I currently building a site for example that aside the fact that it does not look like wordpress at all, visitiors won't be able to see it is Wordpress even by inspecting the source code. Yes you can hide that too.
Honestly, this has nothing to do with Wordpress but with the way some people manage their sites.
Finally, I am using Wordpress + plugins + JS scripts + html + CSS to build very powerful web sites that can do things costing 10s of thousands if going the custom development route. So basically, there is no way one can replace it on their own with any home made solution unless they want to do the most basic stuff and it will still be lacking in a million ways compared to what Wordpress is capable of. It's not easy to compete with the huge library of plug-ins and add-ons the WP has to offer and no other CMS comes even close to that.
BTW - the Irony - Sony uses Wordpress in several of their sites and although most of their systems have been hacked in every possible way, I am not aware of any hack to their Wordpress Sites. If anyone is aware of such incidents I would be glad to know.
Who the hell is Wolf Blitzer?