back to article WordPress blogger patch foot-drag nag: You're tempting hackers

Misconfigured and unpatched WordPress sites are causing a rash of problems both to themselves and the wider internet. In fact, this ever-present internet security threat has flared up again over the last week because of several new issues. The most pressing problem involves a recent brute force amplification attack on …

  1. This post has been deleted by its author

  2. Kraggy

    As I've commented before about this train-wreck called Wordpress, when are Mozilla and co. going to issue a death-penalty on it like they've done for Flash?

  3. wolfetone Silver badge

    WordPress is to the internet what Asbestos is to the General Public. A wonderful thing to begin with, then just turns out to be horrific and shouldn't even be touched by people with death wishes.*

    *speaking as a developer of 10 years

  4. Donkey Molestor X

    Meth^H^H^H^HPHP: not even once.

    "But Facebook uses PHP!"

    I rest my case.

  5. Anonymous Coward
    Anonymous Coward

    I see the wORDpRESS PR posse is out in full force with 5 downvotes and counting. Nice try. Too bad El Reg isn't Facebook nor a WP site integrated into the worldwide blogcommentardspace, so the vast majority of your fellow slacktivists seem to be absent. Not that it matters. Downvotes are a badge of honor.

    Anyway, if you must run WP, this vuln is yet another reason to block /xml-rpc.php.

  6. Anonymous Coward
    Anonymous Coward

    I quite like wordpress. Provided you don't use any of the defaults and keep your plugins to a minimum it's pretty good. Unlike most other CMS systems, you don't have to take it to bits to update it.

  7. Anonymous Coward
    Anonymous Coward

    I'm not sure how they're spreading it, but we're already seeing incoming to our IIS systems from UK IP addresses which appear to be this. There's a lot of it out there.

  8. Anonymous Coward
    Anonymous Coward

    There's a reason my apache config will return 401 for any requests to xmlrpc.php - whether that file exists or not.

  9. monty75

    Wordfence is your friend. It should be installed by default on Wordpress sites.

    1. Anonymous Coward
      Anonymous Coward

      Agreed. Also plays nicely with All In One WP Security and I recommend using both.

      And if anyone's short of ideas for places to redirect hackers to; here's a 10-hour Trololo video.

      https://www.youtube.com/watch?v=sCNrK-n68CM

      1. Jim McDonald

        I prefer https://www.youtube.com/watch?v=5fCgPMMH4vA (Bruno Ganz is superb)

        1. I. Aproveofitspendingonspecificprojects

          Crap!

          You have no taste.

      2. I. Aproveofitspendingonspecificprojects

        Lol Lol Lol

        Posted to Facebook.

        What is he on?

        I think he must have been one of the last Hitler youths to invade Russia and got addicted to whatever they used to give the ones whose faces froze off. Oh OO! eee papalalalala

        Or is it an advert for Moskevitch cars?

        Lala la Ladarghgargle..

        1. Anonymous Coward
          Anonymous Coward

          Re: Lol Lol Lol

          @I. Aproveofitspendingonspecificprojects

          He was quite a nice guy by all accounts. There's 2 versions of why the song didn't have lyrics:

          1) (From the man himself): The original lyrics were about cowboys on the prairie; which wouldn't have gone down too well with the Russian authorities at the time; being all American and all. (Also explains the big Aiyeeeeeeeeee! cowboy whoop in the middle).

          2) (From his son): A disagreement with the guy who wrote the lyrics, so he just did without.

          A song with a title that contained both 'trol' and 'lol' couldn't fail to be a hit; and when you fire the video up it is definitely not disappointing. A song before it's time.

          PS. Hitler Gangnam style. That's massive bad taste and I'm still sniggering. One of us is a terrible person and I'm hoping it's not me. Without much optimism, to be frank.

  10. jollis

    mitigation

    I agree wordpress is the pits of all software, however im lazy so i use it. anyway i just added this to the nginx frontend to help deal with yet another security issue

    location ~ ^/(wp-config|wp-settings|xmlrpc\.php) {

    deny all; }

  11. PMJ

    WordPress Ubiquity

    A death penalty on WP would take out a huge proportion of the web. Even if you just look at the worldwide top 10,000 sites you find that over 27% are using WP (including some big players). If WP is hosted properly and decent security measures put in place it is relatively safe but it should still be kept updated. For CMS usage see http://trends.builtwith.com/cms.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020