Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Wordpress.org Warns of Active Worm Hacking Blogs

timothy posted more than 4 years ago | from the in-this-case-the-worms-are-actually-human-beings dept.

Security 103

Erik writes "Wordpress, the popular open-source Content Management System (CMS) for many thousands of bloggers worldwide, is under attack from a 'clever' worm that automatically compromises unpatched versions of the Wordpress system. The particularly nasty bug crawls the web for vulnerable Wordpress installations, installing malware, deleting content, and generally wreaking havoc wherever it can. Today, Wordpress founder Matt Mullenweg eloquently implored Wordpress bloggers to update more frequently. Originally, updating the Wordpress system was a rather laborious process; however, newer versions offer fast and simple one-click upgrades. The two most recent versions of Wordpress (2.8.3 and 2.8.4) cannot be attacked by the worm discovered this week, and blogs hosted at Wordpress.com are also apparently immune."

cancel ×

103 comments

frist (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29327135)

frist!

Re:frist (0, Offtopic)

epe (851815) | more than 4 years ago | (#29327195)

a real and maintained multisite wordpress will be more than welcomed for hosting companies, so an easy upgrade can be achieved.

"Clever?" (4, Insightful)

Solra Bizna (716281) | more than 4 years ago | (#29327185)

There have been widespread worms that did this sort of thing before (phpBB comes to mind). Does this one do anything novel that makes it deserve the adjective "clever?"

-:sigma.SB

Re:"Clever?" (1)

mysidia (191772) | more than 4 years ago | (#29328563)

There was exactly 1 really clever worm of this nature. The internet worm created by Robert Morris Jr. [ryerson.ca] 21 years ago. And perhaps the first worm in a PHP/CGI app which was not this one.

The rest have just been copycats, non-original. And the payload isn't even clever.

Re:"Clever?" (0)

Anonymous Coward | more than 4 years ago | (#29328823)

Conficker is actually kinda neat, inasmuch as it does things in a halfway-intelligent manner, rather than being hacked-together script kiddie garbage. It's still not very interesting, though.

Re:"Clever?" (1)

cosm (1072588) | more than 4 years ago | (#29329561)

Nope. Not until the worm's heuristics can penetrate my blag.

Hey Wordpress... (4, Insightful)

pathological liar (659969) | more than 4 years ago | (#29327203)

Maybe you should stop putting the Wordpress version in meta tags on the page? Or at least make it opt(-in)ional?

Re:Hey Wordpress... (3, Informative)

zn0k (1082797) | more than 4 years ago | (#29327227)

As outlined in TFA (yes, I know, I know) that's snake oil. You can run response tests to determine a version.

Re:Hey Wordpress... (5, Insightful)

StarHeart (27290) | more than 4 years ago | (#29327343)

I wouldn't say it is snake oil. Putting versions in a page allows you to Google for it. Which makes the attack a lot easier. It also allows the attacker to do reconnaissance a lot less detectably a hold of time, and then spring it on everyone at once.

Re:Hey Wordpress... (1)

siloko (1133863) | more than 4 years ago | (#29329527)

It also allows the attacker to do reconnaissance a lot less detectably a hold of time

You're at +3 Insightful so I guess this means something, but perhaps not in English . . .

Re:Hey Wordpress... (1)

yawnmoth (534382) | more than 4 years ago | (#29327603)

I suppose you also think salted passwords are snake oil? Sure, they're not going to stop someone who's brute forcing on-the-fly, but it does make life more complicated for people using rainbow tables.

I only mention salted passwords because Wordpress uses them [openwall.com] (see wp-includes/class-phpass.php).

Re:Hey Wordpress... (0, Troll)

zn0k (1082797) | more than 4 years ago | (#29327727)

No, I do not. Salted passwords have nothing to do with what essentially is the same thing as obfuscating banners on web or mail servers. Salted passwords significantly improve security. Obfuscating banners only adds a trivial amount of work to determine the version a server is running. Mind you, obfuscating banners certainly doesn't make things worse, so I actually agree that it should be a configurable option. I just disagree that it's a particularly worthwhile option because I agree with TFA in that obfuscating banners at most entices an attacker that is looking for any target to go for someone else because he'd have to run additional steps on you. It does absolutely nothing to help an attacker targeting you specifically. It may not even help with drive-bys depending on how trivial it is to determine the version by probing and checking responses - I must admit I don't know how trivial this is with Wordpress.

Re:Hey Wordpress... (1)

yawnmoth (534382) | more than 4 years ago | (#29327929)

Salted passwords have nothing to do with what essentially is the same thing as obfuscating banners on web or mail servers. Salted passwords significantly improve security.

Do you even know what a salted password is? Instead of brute forcing hash(password) you brute force hash(salt + password). Since the salt is always going to be known, brute forcing hash(salt + password) takes no more time then brute forcing hash(password). All it protects against are run-of-the-mill rainbow table attacks

Obfuscating banners only adds a trivial amount of work to determine the version a server is running.

I assume you're referring to the capability testing that the wordpress.org post mentioned? Tell me - did 2.8.4 even introduce new capabilities? If so, then, presumably, it should have been numbered 2.9.0 - not 2.8.4. And if they didn't add new capabilities, then capability testing wouldn't allow an attacker to figure out if you were running a vulnerable version or not, wordpress.org's comments notwithstanding.

Re:Hey Wordpress... (1)

pixelpusher220 (529617) | more than 4 years ago | (#29328141)

who said the salt has to be only appended or prepended? I've built systems where the salt was mixed into the password much like a deck of cards is shuffled. Good luck figuring that out ;-) The pattern of 'shuffle' was constant, so technically just an obfuscation, but a pretty effective one against brute force attacks.

Besides, the point of a salt isn't to make something unknowable, it's to make it hard to brute-force. I don't know that the statement "the salt will always be known" is a valid one. The fact that it's different for each password is what makes it secure.

Now, if the salt is 'known', yes it's not as hard, but you still need to regen the table again to find out what it is.

Salts work best against large scale attacks, not so much against cracking a single password for the reason you describe. But if someone is trying to get a group of passwords, regenerating the tables for each password gets to be a bit time consuming.

Re:Hey Wordpress... (1)

yawnmoth (534382) | more than 4 years ago | (#29328199)

I don't know that the statement "the salt will always be known" is a valid one. The fact that it's different for each password is what makes it secure.

The statements "the salt will always be known" and "it's different for each password" aren't mutually exclusive. You can have a unique salt for each user / password and still always know the salt for each of those users.

Also, in the case of Wordpress, I imagine the only password an attacker would be interested in would be that of an admin. Presumably you wouldn't be trying to brute force every single users password on a Wordpress installation, anyway. Of course, then again, I'm not sure non-admins have a reason to have an account, anyway, since most Wordpress installs allow unauthenticated users to comment.

Re:Hey Wordpress... (0)

Anonymous Coward | more than 4 years ago | (#29327537)

phpBB removed version numbers in early 2005 [phpbb.com] (Ctrl+F5 for "Removed version number from powered by line") so it's not exactly unprecedented.

Re:Hey Wordpress... (0, Troll)

mysidia (191772) | more than 4 years ago | (#29328569)

That doesn't have the least bit of an effect on exploitability of the bug, or its wormability.

The wp*.php files are very obvious give-away that you run wordpres.

Re:Hey Wordpress... (2, Interesting)

Anonymous Coward | more than 4 years ago | (#29328613)

The idea isn't to hide the fact that you're using Wordpress - it's to hide the fact that you may very well be running an exploitable version of Wordpress.

Re:Hey Wordpress... (0)

Anonymous Coward | more than 4 years ago | (#29329005)

Net effect: you slow down the worm a little. Congratu-fucking-lations.

Re:Hey Wordpress... (1)

anagama (611277) | more than 4 years ago | (#29329043)

Congrats if it gives you enough extra time to do an update, though yeah, it should have been done immediately. Of course, immediate backups don't always happen even if you are conscientious, e.g. you're on vacation, a worm comes out, a quick fix comes out, but your laying in the sand in some wifi-less slashdot-less world.

Re:Hey Wordpress... (1)

anagama (611277) | more than 4 years ago | (#29329055)

s/backups/updates/

s/your/you\'re/

Re:Hey Wordpress... (1)

Architect_sasyr (938685) | more than 4 years ago | (#29329281)

s/backups/updates/

s/your/you\'re/

s/wifi-less slashdot-less/deepest dimension of a hell hole containing Episodes 1, 2 and 3/

Re:Hey Wordpress... (1)

mysidia (191772) | more than 4 years ago | (#29335581)

The worm could be designed just to find as many wordpress installs as possible and attempt the exploit on all of them, regardless of version number.

Using searches for wordpress-specific files as search keywords to identify them.

*ahem* (0)

Anonymous Coward | more than 4 years ago | (#29328731)

It would be a lot to ask to have you actually read the linked articles before commenting (or modding something as *insightful*): The linked article says that the exploit checks for capabilities, not version number.

Re:*ahem* (0)

Anonymous Coward | more than 4 years ago | (#29329259)

It would be a lot to ask to have you actually read the linked articles before commenting (or modding something as *insightful*): The linked article says that the exploit checks for capabilities, not version number.

isn't the very act of attempting to exploit a vulnerability a test in capabilities? if you try to run the exploit on every wordpress installation out there, be it using a vulnerable version or not, you'll know which ones are running a vulnerable version after having made the attempt.

anonymous (0)

Anonymous Coward | more than 4 years ago | (#29327313)

Worm-hacking blogs! Wordpress must be stopped!

the problem with one-click upgrades (4, Insightful)

Anonymous Coward | more than 4 years ago | (#29327317)

...newer versions offer fast and simple one-click upgrades

If wordpress.org is hacked, again [wordpress.org] , their one-click upgrade feature means instant ownage for all Wordpress blogs everywhere.

Re:the problem with one-click upgrades (1)

kickme_hax0r (968593) | more than 4 years ago | (#29327369)

Slightly better one-click system:
- Open your favourite shell (click, sometimes)
- wget the patch file
- read through the patch file if you think it may be an ownage patch
- apply patch file
- ???
- Profit. Too bad for all those that have to manually apply the patch for lack of patch (or something similar)

Re:the problem with one-click upgrades (0)

Anonymous Coward | more than 4 years ago | (#29327481)

A really nasty worm could really take advantage of that. Wait for the user to enter their FTP information for their one-click upgrade feature and grab it to deface the rest of the website.

Re:the problem with one-click upgrades (3, Insightful)

jesser (77961) | more than 4 years ago | (#29327517)

That problem isn't specific to 1-click updates. It exists equally with 0-click updates (like Firefox's minor updates) and 50-click updates (like WordPress used to have).

You can improve the security of updates by using multiple layers of software protection (e.g. https AND code-signing). You can't improve security by increasing human involvement in the update process and then blaming users who update while the site is hacked. Increasing human involvement just makes it slower and limits the kinds of software protection you can use.

Re:the problem with one-click upgrades (1)

mysidia (191772) | more than 4 years ago | (#29328621)

No, when you click the "auto upgrade" button, WP prompts you to enter the hostname, FTP username, and FTP password, to apply the upgrades.

Now, this does pose a security risk if your site is compromised (unbeknownst to you), and the attacker manages to use SQL injection to redirect you to a 'fake upgrade page'

When you click the upgrade button, and provide your credentials... the attacker has co-opted the web-ui, and you're sending the FTP username and password directly to the kiddie, giving them the means to completely pwn the site....

Re:the problem with one-click upgrades (1)

PReDiToR (687141) | more than 4 years ago | (#29332123)

My WP install doesn't ask me for those details.

But then, I'm running it on my own LAMP.

Re:the problem with one-click upgrades (1)

JSlope (1180805) | more than 4 years ago | (#29338395)

You don't have the correct permissions on your files, if it asks you for ftp login and passwords. With correct permissions it can modify everything by itself.

Re:the problem with one-click upgrades (1)

mysidia (191772) | more than 4 years ago | (#29341981)

Au Contraire. I think if it can modify itself, the site clearly has incorrect file permissions. It's intended behavior that scripts can't modify themselves.

Actually, I use SELinux configurations to make sure Apache can never write to files in web content directories.

Re:the problem with one-click upgrades (1)

JSlope (1180805) | more than 4 years ago | (#29348617)

Actually I think that the ability to easy upgrade the system to latest version (without vulnerabilities) outages the risk of self modifying scripts. I've seen old sites un-updated because it takes 20 minutes instead of one to update them. It's the same risk as turning on autoupdate in your OS.

Re:the problem with one-click upgrades (1)

JSlope (1180805) | more than 4 years ago | (#29348623)

outages = outweighs

Re:the problem with one-click upgrades (1)

jo42 (227475) | more than 4 years ago | (#29328475)

The problem with "simple one-click upgrades" is that the web server, usually Apache, requires full read/write privileges to the directories and files that Wordpress lives in. Talk about a massive gaping security hole.

Re:the problem with one-click upgrades (0)

Anonymous Coward | more than 4 years ago | (#29328509)

Oh screw that. For a while I had considered taking the lazy way out and adding Wordpress to my site but now I think I'll just go with my original plan and write my own blogging software.

Re:the problem with one-click upgrades (1)

palegray.net (1195047) | more than 4 years ago | (#29328515)

Good luck with all the security holes you're inevitably going to reinvent along the way.

Re:the problem with one-click upgrades (1)

maxume (22995) | more than 4 years ago | (#29328547)

None of them are particularly likely to be an attractive nuisance. Popularity brings its own problems.

If I were going to write blogging software, there is a dangerous possibility that it would render static html, which I would have to laboriously rsync to the server. But maybe that isn't blogging software anymore.

Re:the problem with one-click upgrades (1)

palegray.net (1195047) | more than 4 years ago | (#29329003)

If you're taking that approach, you'll probably be okay :). I would argue that such a system, coupled with a basic interface for submitting comments, would definitely qualify as a CMS (with the most commonly used type of CMS being blogging systems), and should be viewed as a blogging platform.

Most people go the opposite direction and insist on rendering everything dynamically. I like the approach you're considering much better; in fact, it's exactly the approach I took when I wrote the CMS that drives the Linode Library [linode.com] .

Incidentally, you should probably include automation to sync your stuff to the server/directory instead of getting all laborious with it ;).

Re:the problem with one-click upgrades (0)

Anonymous Coward | more than 4 years ago | (#29329309)

Wrong on several counts. First, I am probably a more experienced programmer than anyone working on the Wordpress team. Second, I won't be writing it in PHP. Third, I want a blogging system, not the bloat that Wordpress has become and therefore my system will not have nearly as many entry vectors by that virtue alone. Finally, I will be the sole developer and as such there cannot be any conflicts of interest nor communication problems.

Many of the security holes in Wordpress seem to get added because they can't leave good enough alone. A blogging system should allow the owner to add articles and for users to post comments, nothing more. When they started adding all of the other garbage to Wordpress, it just collapsed under its own weight.

Re:the problem with one-click upgrades (1)

jobst (955157) | more than 4 years ago | (#29330639)

how many different shapes of wheels can you invent?

ok, round.
ahh, and round.
what was that other one .. round!

jobst

Re:the problem with one-click upgrades (1)

mysidia (191772) | more than 4 years ago | (#29328581)

Haven't they ever heard of signed patches?

Why can't they make the one-click upgrade verify a GPG signature before performing the installation of the code contained in the upgrade file?

Captain Obvious to the Rescue (1)

Xeleema (453073) | more than 4 years ago | (#29327375)

From TFA: "This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts."

So let me get this straight. If I have a blog that doesn't allow other people to register, say for example, one just for my personal note-taking use. Then I'm in the clear? Sweet. Guess I don't need that Snake Oil after all....

Re:Captain Obvious to the Rescue (0)

Anonymous Coward | more than 4 years ago | (#29327937)

Um, there are plenty of Wordpress blogs that will take anonymous comments, but not allow random people to create an account in the db. If you do a diff -ur between versions 2.8.2 and 2.8.3, you'll see a ton of permission checks added. Think privilege escalation vs. remote root exploit.

Re:Captain Obvious to the Rescue (1)

harlows_monkeys (106428) | more than 4 years ago | (#29328187)

It registers a user? I wonder if this why my Wordpress blog, which generally is not of interest to anyone, suddenly has had several requests for new user registrations.

Re:Captain Obvious to the Rescue (1)

carolfromoz (1552209) | more than 4 years ago | (#29329591)

This interests me because I've seen the same thing in the last couple of days. Normally the only reason anyone registers on my blog is to post a comment. I have my settings so I have to approve the first comment and after that they're good to go - so it was odd to see a couple of registrations with no comment approval coming straight after.

Now I've gone to check... they're all gmail accounts. *suspicious*

As expected, OSS fares no better than proprietary (-1, Troll)

Anonymous Coward | more than 4 years ago | (#29327379)

As I predicted many years back, an OSS dominated software ecosystem will fare no better than the proprietary software ecosystem of today in terms of malware and attacks. As Bill Clinton would say, "It's the users, stupid!" (or perhaps "It's the stupid users!")

maybe if they used their release notification list (1, Insightful)

Anonymous Coward | more than 4 years ago | (#29327411)

http://wordpress.org/download/ [wordpress.org]

When you download Wordpress, you're asked for your email address for release notifications. Shame they don't actually use it:

http://wordpress.org/support/topic/230558 [wordpress.org]

What's the point of offering it if they don't use it? Also, their blog has such a terrible noise-to-quality ratio that it's absolutely useless in this regard. All I care about is whether a new version is available or not - I couldn't care less about what new "awesome" features they've added or are trying to add - I just want to update my blog when new versions are released and leave it at that.

Re:maybe if they used their release notification l (0)

Anonymous Coward | more than 4 years ago | (#29329087)

Their software may be shit, but they do have basic features like tag-specific feeds [wordpress.org] .

Re:maybe if they used their release notification l (2, Informative)

Zancarius (414244) | more than 4 years ago | (#29329179)

What's the point of offering it if they don't use it? Also, their blog has such a terrible noise-to-quality ratio that it's absolutely useless in this regard. All I care about is whether a new version is available or not - I couldn't care less about what new "awesome" features they've added or are trying to add - I just want to update my blog when new versions are released and leave it at that.

The admin dashboard alerts you whenever a new version is available. You don't even need to register with/check their site.

Re:maybe if they used their release notification l (0)

Anonymous Coward | more than 4 years ago | (#29329297)

The admin dashboard alerts you whenever a new version is available. You don't even need to register with/check their site.

They release updates more frequently than I post stories on my blog. Indeed, 2.8.4 was released just a week after 2.8.3. Can't wait to see what next week brings!

Re:maybe if they used their release notification l (1)

EnglishTim (9662) | more than 4 years ago | (#29330011)

Yes, but that assumes you regularly visit your admin panel.

Re:maybe if they used their release notification l (1)

oDDmON oUT (231200) | more than 4 years ago | (#29330969)

Whenever you login as an admin to post, or do something else, that is your default landing spot.

If you choose not to do anything, because some precious widget might break, or you have a hair appointment in 20 minutes, and continue doing so through numerous point releases, you get what you paid for eh?

Or as Duncan Chalk said:
          "Pain is instructive"

Re:maybe if they used their release notification l (0)

Anonymous Coward | more than 4 years ago | (#29331373)

If you choose not to do anything, because some precious widget might break, or you have a hair appointment in 20 minutes, and continue doing so through numerous point releases, you get what you paid for eh?

The OP wasn't talking about people who log into the admin panel and don't upgrade even though they're told they need to - he was talking about people who don't "regularly visit [their] admin panel" in the first people. At that point, punctuality isn't the problem - keeping informed is.

Re:maybe if they used their release notification l (1)

Zancarius (414244) | more than 4 years ago | (#29333253)

The OP wasn't talking about people who log into the admin panel and don't upgrade even though they're told they need to - he was talking about people who don't "regularly visit [their] admin panel" in the first people. At that point, punctuality isn't the problem - keeping informed is.

I understand that contributors/authors who haven't any access to the administrative features won't be able to see the version (but that also assumes they wouldn't be in a position to upgrade either). But really, what's the point of using WordPress if you're not going to use the admin panel? It shows a wonderful overview of comments, spam, drafts, and so forth. I would assume that the idea of never visiting the dashboard enough to notice new versions might be applicable to those use cases of individuals who make a post once every 2 months.

Re:maybe if they used their release notification l (1)

rfunches (800928) | more than 4 years ago | (#29334171)

You (and only you) access your Wordpress blog twice a month to make a semi-monthly post.
You see the admin panel when you log in.
The admin panel shows you when an update is available.
Therefore, you may be up to a half a month behind on update notifications delivered through the admin panel.

A half a month doesn't sound like a big deal but look at the most recent releases:

  • 2.8.1 - July 9, 2009
  • 2.8.2 - July 20, 2009
  • 2.8.3 - August 3, 2009
  • 2.8.4 - August 12, 2009

They really need an e-mail distribution list for those not already monitoring the development blog via RSS or security blogs, because 10 days is a reasonable amount of time for someone to not log into their blog. It has nothing to do with whether you use the admin panel or not, and everything to do with the critical "fix for a fix" that comes barely two weeks later.

Re:maybe if they used their release notification l (0)

Anonymous Coward | more than 4 years ago | (#29335683)

They really need an e-mail distribution list for those not already monitoring the development blog via RSS or security blogs, because 10 days is a reasonable amount of time for someone to not log into their blog.

If they're going to introduce a new vulnerability every ten days, what they need to do isn't to start using an e-mail distribution list - what they need to do is die.

Re:maybe if they used their release notification l (1)

EnglishTim (9662) | more than 4 years ago | (#29334211)

But really, what's the point of using WordPress if you're not going to use the admin panel? It shows a wonderful overview of comments, spam, drafts, and so forth. I would assume that the idea of never visiting the dashboard enough to notice new versions might be applicable to those use cases of individuals who make a post once every 2 months.

But to be honest I think that's a reasonable use case. It's the kind of use I make of Wordpress. I view my site as more of a homepage than a blog - I use Pages much more than Posts and make changes only rarely. As a result it'll often be several weeks between my visits to the admin page.

It's a shame; for people like me the notification mailing list would be perfect but for some reason the Wordpress folks don't make use of it. It's odd that they still encourage people to join it as it can give you a false sense of security.

aghhhh!!! (3, Funny)

stokessd (89903) | more than 4 years ago | (#29327433)

Now even my own blog says that I need to enlarge my Penis!

Re:aghhhh!!! (1, Funny)

Anonymous Coward | more than 4 years ago | (#29327763)

A clever worm, regardless the interpretation.

Re:aghhhh!!! (2, Informative)

reboot246 (623534) | more than 4 years ago | (#29327919)

And isn't it about time you took the hint? :)

Re:aghhhh!!! (0)

Anonymous Coward | more than 4 years ago | (#29329037)

Informative?! Isn't this just redundant?

CAPTCHA: vibrator

wtf

Re:aghhhh!!! (1)

reboot246 (623534) | more than 4 years ago | (#29330481)

Nah, it was never meant to be informative. How would I know his size?
It was meant to be humorous, but apparently not. :)

Re:aghhhh!!! (0)

Anonymous Coward | more than 4 years ago | (#29336953)

I think it was modded informative to be humorous, but apparently not. :)

Another famous victim (1)

Gonoff (88518) | more than 4 years ago | (#29327459)

Scobilizer has been tweeting about the same problem this afternoon.

Re:Another famous victim (0)

Anonymous Coward | more than 4 years ago | (#29328307)

so, he need to enlarge his penis?

Re:Another famous victim (1)

maxume (22995) | more than 4 years ago | (#29328317)

Hey, he can't spend all day on the toilet.

Re:Another famous victim (0)

Anonymous Coward | more than 4 years ago | (#29328931)

Who the fuck is Scobilizer and why do you think he's famous?

Re:Another famous victim (1)

Swampash (1131503) | more than 4 years ago | (#29329141)

Scoble's blog was hosted by Wordpress.com for about four years. During that time he wasn't hacked once. When Scoble was hired to pimp Rackspace, his blog moved to a box at Rackspace, and evidently no-one at Rackspace keeps up with security patches. Not a good look for a hosting company.

Why people don't update (2, Insightful)

Anonymous Coward | more than 4 years ago | (#29327687)

The reason most siteowners are slow or never update is because it's a huge pain in the butt.

This applies to almost all CMS's, forums, and similar software.

While a one-click solution sounds nice, the real problem is that almost any large board has a number of plug-ins and modifications to get it where it needs to be.

Once those mods/plugins are installed, the one-click updates no longer work.

SEO URL's?
Custom themes?
Anti-bot measures?

All of these things can completely render an "easy update" useless.

The people who write this software need to find a way to keep the core code separated from plugins for updates.

Re:Why people don't update (2, Interesting)

Anonymous Coward | more than 4 years ago | (#29327783)

The WordPress "one click update" is annoying, too. Instead of fetching the package it needs from a URL, unpacking it in a temporary directory, and copying the files it needs locally, it requires an FTP login and password.

Re:Why people don't update (1)

zonky (1153039) | more than 4 years ago | (#29334763)

No, that is a very good idea, because apache shouldn't have write permissions to your core wordpress files- using a seperate ftp account login means you're elevating to overwrite files a good idea indeed.

Re:Why people don't update (1)

ukyoCE (106879) | more than 4 years ago | (#29344715)

Yep, this. I tried to do the upgrade and was a little surprised when it asked for FTP login information. I had never even tried the "automatic upgrade" because I knew making my entire wordpress install modifiable by apache was a blatantly bad idea.

The use of the FTP account to do it makes a good deal of sense, and is about the best they can do.

Honestly the manual upgrade is so easy as to be laughable anyway, but for the frequency of WP updates, anything that makes it easier is still a good thing.

Re:Why people don't update (4, Informative)

phoebe (196531) | more than 4 years ago | (#29328391)

There is also a interesting point regarding software repository support. I have a server running Ubuntu 8.04 LTS Server which is supposed to be supported till April 2011, however Wordpress is in the Universe repository and not updated since November 2008 and is vulnerable to a few attacks that delete content.

If these packages are not going to be updated should there not be at least a warning, or method to bar such packages from being installed after security issues have been raised?

Wordpress 2.3.3 [ubuntu.com] in 8.04 LTS Universe repository.

Re:Why people don't update (1)

palegray.net (1195047) | more than 4 years ago | (#29328605)

Packages are aren't actively maintained for security fixes should be removed from the repositories.

Re:Why people don't update (4, Informative)

choongiri (840652) | more than 4 years ago | (#29328685)

*sigh* I don't think you understand how package management and security fixes in debian / ubuntu works. New releases of software almost invariably introduce new features, as well as bug fixes. For that reason, important fixes for security issues are backported, and the version number stays the same. (Introducing new features to a LTS / stable release wouldn't be acceptible.)

Now, what you said is technically true - if it's not being actively maintained for security fixes it *should* be removed - but the fact that Ubuntu's universe package of wordpress is still at 2.3.3 doesn't in and of itself mean that it hasn't been patched with the latest security fixes.

Re:Why people don't update (4, Informative)

palegray.net (1195047) | more than 4 years ago | (#29328973)

I've verified that the OP's assessment of the situation is valid with respect to WordPress (a fresh install from the repos exposes unpatched vulnerabilities long after patches are released to correct the situation).

I understand the Debian/Ubuntu package management and security release system quite well; I happen to work or a certain "Large Virtual Server Company" and I've been using Debian almost exclusively on my systems for almost ten years.

Re:Why people don't update (0)

Anonymous Coward | more than 4 years ago | (#29330655)

You work for a "large vps company", but yet you have a link to Linode on your signature. Coincidence? I think not!

I, for once, won't do the mistake of telling people that I happen to work for a large datacenter which is called SoftL.... ah crap, I'm not good at this either.

Re:Why people don't update (1)

palegray.net (1195047) | more than 4 years ago | (#29333143)

Yeah, I thought about that right after I whacked "submit" :). I do try to abstain from bringing the company into general discussions like this, but in this case I think the reference was merited.

Re:Why people don't update (0)

Anonymous Coward | more than 4 years ago | (#29329347)

consider the "Universe" tag as a warning.

Re:Why people don't update (0)

Anonymous Coward | more than 4 years ago | (#29329459)

Yes, Canonical does support 8.04 for a while. However, they don't support all of the software in the repos, and I'm fairly sure that they support nothing in the universe repo. If you use the default graphical tool, there is a warning, of sorts. It states that the package is not supported by Canonical, but that updates may be provided by the community. If you're not using the GUIs to install, then I don't know if there is a warning or not.

Re:Why people don't update (1)

sciencewhiz (448595) | more than 4 years ago | (#29340367)

From Ubuntu's website [ubuntu.com] . This was the first result from googling for ubuntu universe.

Canonical does not provide a guarantee of regular security updates for software found in universe but will provide these where they are made available by the community. Users should understand the risk inherent in using packages from the universe component.

Unlike Ubuntu, Debian does support anything in their repository. There was a security update for wordpress last month. They also do remove packages in which security support is impossible. It sounds like Debian might be a better choice for you.

Re:Why people don't update (0)

Anonymous Coward | more than 4 years ago | (#29343599)

a) You're right this should be updated.
          BUT:
          b) "If these packages are not going to be updated should there not be at least a warning" There ***IS*** a warning! For anything in Universe, the package manager has a warning. For wordpress for instance, it says "Canonical does not provide updates for wordpress. Some updates may be provided by the Ubuntu community."

Re:Why people don't update (1)

xdroop (4039) | more than 4 years ago | (#29345977)

Why don't people upgrade? Well in my case, I didn't upgrade because I knew that upgrading would immediately kill both the aftermarket theme and several of the aftermarket plugins that I was using, some of which had a huge amount of non-trivial data stored in them. All the plug-ins and theme bits came from WordPress-blessed sites, which made the time-bomb nature of their unsupportedness even more frustrating. After fighting through several minor updates and then looking at a major one, I just gave up, exported the content to my local hard drive, and abandoned the 'blog (since hacked, deleted, and hosting account closed). It seems like the only sure-fire way for things to work is to avoid non-core plugins and themes. And honestly, being hosted off of Blogger is much less work, and only slightly less customizable if you limit yourself to the core themes.

mod 0p (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#29327989)

Maggot, vomit, shit stupid. To the the rain..we can be paper towels resound as fitting dying. AllO major create, manufacture DEVELOPERS. THE log on Then the exemplified by

Thats why I use www.SimpleScripts.com (2, Informative)

Patheos (865163) | more than 4 years ago | (#29328821)

I personally use www.SimpleScripts.com for this exact reason. I use a ton of open source software for my websites and it is hard to keep track of all the updates made to them. SimpleScripts emails me every time an update comes out and it provides me a one click upgrade to the latest version for Wordpress, phpBB and Drupal which are the 3 systems I use the most.

Re:Thats why I use www.SimpleScripts.com (1)

Swampash (1131503) | more than 4 years ago | (#29329099)

Yeah, but you actually CARE. Anyone who runs a Wordpress blog is greeted, in mile-high-flaming letters, with "YOUR WORDPRESS VERSION IS OUT OF DATE, CLICK HERE TO UPDATE" whenever he logs in to the CMS when it's running a version other than current. The hole being exploited by this worm was fixed about six months ago.

In other words, the people who are getting hit by this worm have been ignoring the reminders to upgrade for at least half a year.

Re:Thats why I use www.SimpleScripts.com (1)

teraph (147902) | more than 4 years ago | (#29329161)

And if you're really lazy, or don't regularly update your blog, you can even enter your email on the Downloads page of Wordpress.org and they will email you whenever a stable version comes out.

Re:Thats why I use www.SimpleScripts.com (1)

EnglishTim (9662) | more than 4 years ago | (#29330065)

Or rather, they won't. [wordpress.org]

Re:Thats why I use www.SimpleScripts.com (0)

Anonymous Coward | more than 4 years ago | (#29336987)

...Unless you get your wordpress from your ISP, in which case you get whatever they provide for you. In my case, it was an old, vulnerable version and I got hacked.

But it's ok. I'm no longer a WordPress user. I hand-code all my stuff now. The only thing I'm missing is comments, and when most of my comments were penis-related, you know, I can't really say I'm MISSING them, amirite?

Thanks (1)

spgass (1217724) | more than 4 years ago | (#29328953)

Thanks for posting. I finally upgraded from version 2.3 to 2.8.4 for my [lowtechtimes.com] blogs [olddominionwildlife.com] .

Re:Thanks (1)

nidarus (240160) | more than 4 years ago | (#29332603)

That was subtle.

bi7ch (-1, Redundant)

Anonymous Coward | more than 4 years ago | (#29329177)

minutes. If that. fucking surprise, OF AMERICA) today, expulsion of IPF available to distributions

Nice information (1)

Dropship (1632065) | more than 4 years ago | (#29329351)

That's a good information. Most of the serious bloggers keep updated their wordpress versions. The users also have option to update their blog by just one click. If you have not done so, please do it right now.

Useless post, useless article (0)

Anonymous Coward | more than 4 years ago | (#29331313)

This post, and the linked article, are useless. They don't say anything :
- if and which one of the previous non 2.8.x series is vulnerable
- how to detect the attack.

It's just whining "upgrade upgrade". Boys, thank you for your kickass blog engine. I'm using it since you were nobody, but damn, you produce vulnerabilities over vulnerabilities and you hope that we have the time to follow and upgrade constantly because you screw up? Give us a stable release, and don't ask my 2.7.1 blog to be upgraded to 2.8. I won't do it. Period. It's too much trouble, too much risk, and too much wasted time to merge personalized changes or if plugins are not compatible. Maintain and backport the fixes to previous branches.

Yes, I donated, so I have bragging rights.

Instead of a passionate plea to the users... (0, Flamebait)

lennier (44736) | more than 4 years ago | (#29334807)

... how about he makes a passionate plea to the PROGRAMMERS to say 'Guys, let's STOP PUTTING SECURITY HOLES IN OUR SOFTWARE?'

Just a thought.

It shouldn't be any user's problem to need to 'upgrade or get hacked'. If you're writing web software that's hackable, you're the one doing it wrong., not your users.

Technical details ? (1)

ladadadada (454328) | more than 4 years ago | (#29339969)

Does anybody have any technical details about this worm ?

Some people can't upgrade immediately and it would be nice to be able to block the request strings (or user-agent, IP address, whetever) that the worm uses.

I have looked around the various blogs reporting this and on full-disclosure lists but I can't find any better advice than "Upgrade. Now."

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...