back to article P0wned plug-in puts a million WordPress sites at risk of attack

Up to a million WordPress websites could be open to full compromise through a vulnerability in the WP-Slimstat plug-in, security bod Marc-Alexandre Montpas says. The weak key flaw can expose admin credentials; bad news for the folks who've downloaded the plug-in 1.3 million times. A patched version of the plug-in has been …

  1. Pen-y-gors Silver badge

    Fundamental problems

    Basic Wordpress is quite neat, but seriously dangerous in the hands of amateurs (i.e. 99% of Wordpress users). It's the insecure plugins that are the problem, as the article notes.

    I had a couple of clients who were very keen to get their own Wordpress site up and running, and wanted hosting. My solution was to buy a separate reseller hosting package from 1&1 and ONLY use it for Wordpress. If any of the sites get hammered then hopefully they can't damage anything else. (and if they can get outside the boundaries of the reseller account that's 1&1's problem) Obviously I also warned the customers about unnecessary plug-ins!

    1. Tom 38 Silver badge

      Re: Fundamental problems

      Similar issues here - we won't let Marketing maintain and run their own Wordpress server, and they refuse to allow us to maintain and run it, as they then can't just whack any plugin they fancy on it.

      The impasse was solved by them buying (at outrageous prices) hosted wordpress that we have nothing to do with. It's going to blow up at some point, guaranteed, but it won't be on our servers, in our network and with our data.

    2. Compression Artifact

      Re: Fundamental problems

      "Basic Wordpress is quite neat, but seriously dangerous in the hands of amateurs (i.e. 99% of Wordpress users)."

      Something I'm seeing more and more of is friends who have no concept of email security (and have a track record of falling for social engineering attacks) going on to new adventures like making amateur websites using free website builders. I always approach these with "shields up." When I go to these sites and NoScript blocks everything, I then have to explain to them what "whitelisting" means and why I'm not going to do it.

      In two cases, their websites were being flagged by Google as "possibly compromised" and they couldn't figure out why. When I checked them out (again, with "shields up"), I saw that they had been hit with the "WordPress Pharma Hack"--not to mention one site having a virus in some of the crap that NoScript was blocking. One site was later rebuilt from scratch using a different builder; the other was taken down and never replaced.

  2. Anonymous Coward
    FAIL

    Asking the big questions.....

    Is WordPress the New Microsoft??

    1. Matt Bryant Silver badge
      Facepalm

      Re: Ian Emery Re: Asking the big questions.....

      "Is WordPress the New Microsoft??" Don't be silly, they're just the new Adobe.

    2. Harry Wood

      Re: Asking the big questions.....

      It's similar to microsoft windows if that's what you mean. Hackers write malware for windows because most people run it (plus it tends to be more vulnerable than OSs with stricter permissions models) Hackers attack wordpress because lots of people install it on their website (plus it tends to be more vulnerable having a php enabled webserver and the ability to write to the filesystem for plugins and themes)

  3. VinceH
    Coat

    "bad news for the folks who've downloaded the plug-in 1.3 million times."

    Why would they do that? Is once not enough?

  4. Crazy Operations Guy
    Holmes

    "if your website uses a vulnerable version of the plug-in, you’re at risk"

    And the award for most obvious statement goes to....

  5. Crazy Operations Guy

    Screw WordPress

    I'm moving my blog back to static HTML and text files... Updating pages by hand has become more attractive to me than constantly updating WordPress and its database.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021