New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Wordpress Security Oopsie
raindog308
Administrator, Veteran
in General
Vulnerability in WordPress Core: Bypass any password protected post. CVSS Score: 7.5 (High)
Whether it's a big deal depends on your site...rather disappointing that it took the WP team from May 6 to June 21 to plug this though.
Comments
Didn't even know it could do that. I always just hide private content behind htpasswd.
I have like 100+ new emails sent from every updated Wordpress site.
Wordpress and security have no place in the same sentence. Once you install any custom theme or plugin your install is pretty much compromised. We've disabled the PHP mail() function on our cPanel server specifically because of Wordpress installs and the frequency they are hacked and used to send spam. The day I wake up to find not a single Wordpress instance hacked on our server will be a glorious day.
The timeline is indeed unreasonable for this kind of issue, I can't understand why did it take them so long.
Mmmmm, if its patched, it's fine imo, I have a cron running every 10 minutes (or an hour) to update WordPress Core, the plugins of all the WP installations on my server.
no
If all your plugins are well maintained, that's great, but I'd advise against someone who doesn't know what they're doing, with dozens of plugins across dozens of sites, doing this. A lot of WordPress.org plugins can be pretty careless with updates they roll out and auto-updating can break stuff while you're asleep pretty quick.
yes
Joe you make a great job ! Keep it up
I wish I was exaggerating but the quality of Wordpress themes/plugins is HORRIBLE. I've gotten to the point where I don't even report exploits to developers because they honestly don't care since my bug reports don't include $$$.
When the most common exploits for software are in THEMES, you know there's a problem. Why should themes have the ability to modify code in your web directories?
Exactly. There's no reason for that at all.
And not all themes are just themes anymore either. They include a control panel, "premium" options, and all kinds of other crap that makes it so much more than it should be: a layout for a website.
While I understand the idea behind this flexibility and don't think the principle of flexibility is a bad thing, the way it's been worked out has resulted in a seven-headed monster that is unfortunately the cause of a lot of damage.
If you crawl a bit, you'll see pretty much every theme that you can find is either vulnerable, or someone has intentionally backdoored and reuploaded it
Didn't they (try to) change that a while back, by forcing functionality into plugins and disallowing it within themes themselves?
There are giant themes (genesis, epanel, etc.) which are barely wordpress any more...you're working in that theme's shortcodes, etc.
I'm actually curious - Is there a recommend alternative to Wordpress that is on the same level of features?
Yes, I know there are many CMS and blogging platforms but not a ton that are on the same level as Wordpress.
As a theme and plugin dev, yeaaaaaaaaaa. WP is less security focused nowadays. It will come back as some mega exploit one day and then everyone will take it serious, for a week.
Seems like they rolled up a lot of security updates into one patch.
https://wordpress.org/news/2016/06/wordpress-4-5-3/
Wattt, .... grow up, man
I asked a simple question - no need to be an asshole.
Ignore @pedagang, I don't think hes made a useful post in all 63 of his.
How to unhack any server that runs multiple WP websites: