back to article 50,000 sites backdoored through shoddy WordPress plugin

Some 50,000 sites have been sprayed with backdoors from shonky malware targeting a popular and vulnerable WordPress plugin, according to researcher Daniel Cid. Sucuri founder Cid says the bodged malware can infect any site that resides on the server of a hacked WordPress website. The flawed plugin allowed attackers to "inject …

  1. ascasc

    Old news - WordPress plugins are a disaster

    WordPress plugins are a huge pile of fail/mess.

    http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress+plugin

    423 results.

    1. Anonymous Coward
      Anonymous Coward

      Re: Old news - WordPress is a disaster

      WordPress is a huge pile of fail/mess.

      There, fixed that for you.

      1. wolfetone Silver badge

        Re: Old news - WordPress is a disaster

        I don't know why you decided to be Anonymous, all you did was tell the truth.

        WordPress is a horrid, bloated mess of a system. It's slow, and for it to do ANYTHING worthwhile you need to use about 10 plugins. It's the darling of Web Agencies across the world more for the fact you can get it out the door quickly rather than have a system that's built to spec for the client, that's secure and efficient.

        The one to watch is October CMS, for me this is the WordPress killer I've been dreaming about. It's quick and secure, as it's built on the Laravel framework which in turn uses several Symfony components.

        I look forward to WordPress' overdue demise.

        1. Anonymous Coward
          Anonymous Coward

          Re: Old news - WordPress is a disaster

          The one to watch is October CMS

          Or TextPattern. It stagnated for a long while, but has been going through a comprehensive overhaul for several years now.

      2. Anonymous Coward
        Anonymous Coward

        Re: Old news - WordPress is a disaster

        WWW is a huge pile of fail. FTFY.

        And we keep coming back for more....

  2. Ole Juul

    Where is line 91?

    The wp-config.php file typically has less than 30 lines, so something is not clear. Perhaps a hacked site has the extra lines.

    1. richardcox13

      Re: Where is line 91?

      I would assume the malware (incorrectly) injects quite a few lines of its own code knowing it is a file that is executed for each request.

      1. Mark Allen

        Re: Where is line 91?

        A compromise I saw hit some of my client's Wordpress sites last year involved a single line of code added to the PHP files for each page, which then launched more code from a single page of script. In our case it was quickest to just restore from backups as too many little changes were all over the place.

  3. Jim 59

    I run Wordpress because it seems one of the best available. But I agree is it hugely bloated and slow. I particularly like the Wordpress approach to error handling. There isn't any. And they have solved the error message problem by just ignoring it.

    1. rvt

      "I run Wordpress because it seems one of the best available."

      May be at the time it was easy for you to understand. However in reality, Wordpress is great for blogging, but that's all what Wordpress does well. I know it has CMS features with plugins but it's a laugh compared to wCMS systems that where from the ground up designed to be a (w)CMS.

      May be it's time for you tome move on?

  4. This post has been deleted by its author

  5. Jim 59

    Unrelated, but there seems to be a widespread botnet attack on Wordpress blogs' "xmlrpc" feature in the last few days. People are reporting bots with up to 30,000 members trying to guess usernames and passwords. In the last 4 days my own low traffic blog has received 24,000 attempts from over 8000 bit IPs.

  6. LeeH

    WordPress or a Purpose Built CMS... Let Me Think About That....

    WordPress: in constant development, regular updates, open source, many core developers, multiple development teams, easy to extend, thousands of plugin and theme developers, well commented core code, hooks to latch code into, automatic updates (since 3.9, a pro and con, I know)...

    Purpose Built CMS: small development team unless you have lots and lots of money to throw at the project, code comments dependent on coder's mood, costly to extend, expensive to replace or modify if the development team vanishes, smaller group of people checking for vulnerabilities, often closed source code, restrictions on usage (depending on contract), limited support channels...

    423 out of over 100,000 WP plugins might contain vulnerabilities (those figures are not fact-checked and are very likely underestimates) so that means 99,577 plugins do not contain vulnerabilities (or vulns. have yet to be found in some of them).

    WordPress might not be ideal for every use case but it is suited to the needs of most people and is within the price range of most people.

    As someone who can develop a CMS (and has developed several) from the ground up, I say that WordPress, despite some shortcomings, is a good start point to work with.

    If you dislike a WP plugin, change it. If a plugin is vulnerable, solve the vulnerability. Want to use a new plugin but unsure whether it is vulnerable to attack, check the code and tell the developer about the flaw. Stop faulting WordPress and WP developers and help the project by providing workable solutions.

    How many of you complainers have been in business for as long WordPress has been in existence? Do you expect to be around for as long as WordPress will be here?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022