back to article MUM's WordPress recipe blog USED AS ZOMBIE in DDoS attacks

Tens of thousands of vulnerable WordPress sites have been co-opted into a server-based botnet being used to run DDoS attacks. More than 160,000 legitimate WordPress sites were abused to run a large HTTP-based (layer 7) distributed flood attack against a target, which called in cloud security firm Sucuri for help. Security …


This topic is closed for new posts.
  1. Stumpy Pepys

    My sites all update themselves these days. Or does this depend on your version and your host?

    1. msknight

      I believe that the ability to auto update only came in with an update that was released relatively recently. I was updating manually and then I suddenly noticed that it was updating itself.

      However, I don't think that the plugins auto-update.

      I'm actually changing out from WordPress after one of my self-hosted WordPress blogs decided to destroy all the posts, and the WordPress support forum was like, "Meh!" and searches seem to hold many accouns of WordPress blogs just suddenly dropping all their posts. So ... I'm looking around for an alternative now.

      1. msknight

        Just for reference, here was my post on their forum. I gave up watching it for updates -

        1. Anonymous Coward
          Anonymous Coward

          Update is broken on GoDaddy; but works on every other host I've encountered. The update was introduced in either 3.7 or 3.8; can't remember which for sure. Recent anyway, so older sites that haven't been updated won't have it.

    2. Ian 55

      Only recently and only for minor updates

      Yes, it was added in 3.7, I think, but it only works for say 3.8 to 3.8.1 and when 3.9 or 4.0 are released, you will have to do it manually.

      You also need to keep on top of plugin updates yourself.

  2. Colin Millar

    Responsible - moi!!

    This is what happens when no-one is held responsible for creating bits of crap that they push out as fast as they can with no QC.

    I hope the affected party sues the arse off Wordpress.

    1. Anonymous Coward
      Anonymous Coward

      Re: Responsible - moi!!

      Reread. It was fixed a year ago.

  3. Stevie


    ""This is a prime example of how users aren't regularly performing updates to their websites, because if they were, we wouldn't still be seeing DDoS attacks being carried out by websites taking advantage of this old flaw,” Power added"

    Well, perhaps these users have real lives and cannot be webmasters 8 hours a day. Perhaps they expect updates to be pushed like they are with windows.

    Stupid expectation? Of course. But does it say anywhere on the wordpress box that a substantial effort must be made to read the alerts and keep the software current or your neat recipe blog will become like unto an neste of vypers? Or is that bad news buried in EULA land in annoying kilobolx of wordage?

    Because, you know, ordinary people expect stuff to just work and work properly. It never does, but that's the human condition.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bah!

      Just logging in once every 3 months and pressing the 'Update' button will don't have to devote your life or gird your loins or anything.

      Plus if you use Softalicious, you get an email notification when WP updates. I always use Softalicious for one of my personal sites for this reason.

      1. Anonymous Coward
        Anonymous Coward

        Re: Bah!

        My gripe is logging in and pressing "Update" does diddly squat for me as it then asks for a FTP/FTPS host.

        I don't run FTP or FTPS on my host: I have SSH/SFTP/SCP for that. I have a heap of shell scripts that download, backup and unpack updates for each bit, but it's extra effort still, and so it doesn't get patched nearly as often as it should because of the above limitation.

        This plugin, should be standard issue:

        1. This post has been deleted by its author

        2. Anonymous Coward
          Anonymous Coward

          Re: Bah!

          Nice try, but Wordpress doesn't ask you to run an FTP host, or ask you to point it to one. It does, however, like to use PHP's built-in FTP *CLIENT* to download files. I'm sorry that you don't want to be able to FTP *from* your servers to pull down files, but for most of us it isn't a problem.

      2. Stevie

        Re: Bah!

        "Just logging in once every 3 months and pressing the 'Update' button will do"

        And here is the disconnect between computer knowledgeable people and the rest of the world made manifest.

        In every single other aspect of life, the golden rule is "If it ain't broke, don't fix it". Since the breakage in question here is an abstruse thing not visible or even understandable to great swaths of the population, what on earth makes anyone think someone will press an "update" button?. Especially in these days of "never click on a link" anti hijack advice.

        Seriously, do people really believe others don't update their windows home machines because they obstinately refuse to get with it? Does no-one 'get' the contradictory nature of the "lightweight" security advice being handed down from the mount?

        The problem lies in broken software in every case. Failures of imagination in designers, failure of diligence in the programmers. Blaming the users is easy. Fixing the problem is too close to home. Hence the mess.

  4. Zmodem

    if wordpress had a brain, they would`nt need to ping a site just because a post has a link in it, if a ajax popup times out just had a failed to get info message

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022