back to article Worm wiggles through weary WordPress

Hackers are exploiting older installations of WordPress to distribute blog comment spam and disguise links to malware-contaminated sites. The worm-based attack targets an older version of the popular blog publishing software. Although the worm attempts to hide its tracks, coding errors mean that links on a blog wind up getting …

COMMENTS

This topic is closed for new posts.
  1. Connor
    WTF?

    Pointless

    "if security concerns might one day prompt users to move away from the open source PHP application, whose widespread use makes it a tempting target for hacking attacks."

    What a pointless comment, the same could be said about anything:

    "if security concerns might one day prompt users to move away from Internet Explorer, whose widespread use makes it a tempting target for hacking attacks."

    "if security concerns might one day prompt users to move away from the Microsoft Operating System, whose widespread use makes it a tempting target for hacking attacks."

    "If security concerns might one day prompt users to move away from the internet, whose widespread use makes it a tempting target for hacking attacks."

    But as yet, few users have been prompted to move to the safer CB radio sets for social networking and communication.

  2. Hieronymus P. Organthruster
    Go

    Go wormy

    Probably the most exciting thing ever to happen to 99.999999999993% of all blogs

  3. Steve Evans

    "Applying an update might be a chore"...

    Not if you've set up wordpress properly it isn't.

    You click the "update" link, and it does it all for you in a few minutes.

    (You do take a backup before of course)

  4. Dayjo
    Welcome

    Registering Users

    I got all excited when people registered on my blog. Thought it was strange that no where do I link to a register page.

  5. Anonymous Coward
    Stop

    Upgrading is NOT a real pain

    Later versions of WP and WPMU automatically detect there is a new version available and will prompt you to download it, and if you want will then patch your installation for you. This only affects the standalone downloadable version of WP, it does not affect the main WP hosted blogs.

    This bug doesn't affect the current version of WP OR the previous, so you've got to be two releases down to get hit by this security hole.

    All software has bugs in it, and if you choose not to upgrade when the developers have TOLD you to upgrade then its not really their fault and pointing fingers at the developers who have fixed the problem before it became a real issue and crying really doesn't help.

    Dont forget that WP is FREE - it costs not a single penny, so that makes the whining even worse.

    Dare I say it but Scoble admits he's not a sys admin type - so why the hell is he running his own copy of WordPress? Think I'll go to Wickes and buy everything to build a conservatory, and when it falls down because I'm not a builder I'll start moaning about the quality of the product Wickes sold me.

  6. amanfromMars 1 Silver badge

    The Devil Rushes in ......

    "The Guardian notes that attacks against WordPress are getting more frequent, wondering aloud if security concerns might one day prompt users to move away from the open source PHP application, whose widespread use makes it a tempting target for hacking attacks." ..... Just as long as the Status Quo and Establishment Forces don't think it Hosts Easy Targets for Attack and DDOS, for Some Remotely Hosted are Unarmed and Ruthlessly Efficient in Attacking Defence..... with Sublime Wares and Intangible Tools.

  7. Anonymous Coward
    FAIL

    tech blogger Robert Scoble gets hit...

    ..but not technical enough to keep his software updated....

  8. jdh28
    FAIL

    Re: WordPress self update

    The self update feature of WordPress requires that the whole installation be writeable by the account the web server is running under. How is that a good idea?!

  9. Anonymous Coward
    Paris Hilton

    One-click pony ...

    "Scoble was hit by a similar attack a couple of months ago, and is now considering a switch to different blogging software."

    Perhaps Scoble should consider getting a clue. Different blogging software will not help him if he can't even be arsed to keep it up to date. It's not like it's even difficult with Wordpress - it's a one-click exercise that even Paris could manage ...

    As for his lack of backups, well - this justifies my determined efforts to ignore Scoble ...

  10. Anonymous Coward
    FAIL

    Backups

    "Among those hit by the latest attack was tech blogger Robert Scoble, who lost two months of blog entries as a result."

    Has Robert Scoble not heard of backups?

  11. Jeremy 2

    In defence of PHP

    A lot of really crap and insecure code is written in PHP but that's only because so many people read "PHP5 for Idiots in 24 Ickle Baby Steps" and then think that because they understand the syntax, that's all they need to know. It's hardly the language's fault if these books contain multiple chapters on using MySQL and only a passing paragraph or two about SQL injection, for example.

  12. Anonymous Coward
    WTF?

    Scoble

    So he didn't upgrade, got hacked. Which part of this is hard to follow?

    Didn't backup, lost his work. Which part of this is hard to follow?

    The most common reason people say they don't upgrade is that it breaks plugins.

    There is a choice, Broken plugin or completely broken site, take your pick.

    Security must come before features.

  13. Anonymous Coward
    Unhappy

    @ Steve Evans

    "You click the "update" link, and it does it all for you in a few minutes.

    (You do take a backup before of course)"

    Well, I clicked UPDATE just like Steve said.

    Then I read his instruction to take a backup before but oh noooo too late.......

    Now my blog has disappeared and been replaced by an image of Fred Talbot with a Santa Claus beard and a machine gun, holding a placard that says, "Christmas has come early mother f*cker".

  14. Ole Juul

    Deceptive news

    This news is all over the place and I can't help but notice that the most significant part of the story is missing. Few blog admins use user registration on comments and you have to deliberately turn that on in order to be eligible for this vulnerability. In other words, most aren't affected, and immunity is only a click away.

  15. Unlimited

    original article flawed

    The guardian article author is not only technically illiterate, but also seems unable to grasp basic logic.

    1) He compares wordpress to windows. ( technical failure )

    2) He posits that the frequency of attacks may cause people to say "hey, remember when everyone used Wordpress?". ( logical failure, how many people say "hey, remember when everyone used Windows?)

    I'm unsuprised that comments are not enabled on the guardian article, either he got slammed or could see the flames coming.

    I am surprised that el reg thought the guardian article was good enough to link to.

  16. This post has been deleted by its author

This topic is closed for new posts.