back to article Safe browsing checks fail as 16,000 WordPress sites hacked this year

At least 15,769 WordPress websites - and probably more - have been compromised this year, half slipping past Google's Safe Browsing checks, says security researcher Daniel Cid. The world's most popular content management system represented the lion's share of some 21,821 sites studied in the second 2016 Sucuri report on …

  1. Milton

    So: should I choose WP?

    This news is timely, for me, as I've recently been configuring and hardening a *ix server for family use and considered WordPress for a blog for my dev-genius wife. I was already surprised at the scale of WP abuse, and now even more alarmed by how successful this appears to be.

    So I have a question: for a light one-woman blog that will be smallish, probably with moderate traffic, should I automatically go with the #1 option, WP? Or does it make sense to seek one of the many also-rans that have a much smaller installed footprint?

    There's no point me hardening a new server if I install something of known weakness, nor do I want to be constantly plugging holes in the dike. Curious to know what el Reg's eminently qualified readership think.

    1. DaLo

      Re: So: should I choose WP?

      Depends, Wordpress is an obvious target due to its install base and use of plugins. It is also easy to identify so automated scripts/bots can search the web for install and test for the know vulnerabilities.

      If you are prepared to patch whenever available and limit your use of plugins as much as possible (and patch those plugins regularly) then you will probably be okay. You will still be plugging holes a lot, but you will be for most software (on the Reg today: "Drupal patches bad bugs", "OpenSSL swats a dozen bugs, one notable nasty")

      Any public facing box of any kind should not be used in a fit and forget scenario.

    2. Anonymous Coward
      Anonymous Coward

      Re: So: should I choose WP?

      I like WP and have only ever had one hacked...and that was an inside job (disgruntled ex-employee that nobody told me was ex).

      A lot of the sites in the article were either not updated; or had glaring schoolboy errors in the configuration (the username and password being the same as the domain name FFS...I've had sites like that handed to me by agencies on more than one occasion).

      If you:

      1) Don't use 'admin' (the default) as the username

      2) Keep plugins to a minimum

      3) Keep site and plugins updated (It's just the press of a button or you can instruct the site to keep itself updated; but there's a risk there of a bad update...I prefer manual)

      4) Don't have the "display name" and "username" the same (Display name is what wordpress uses to say "this was posted by $display_name" and username is what you login with

      5) Use a decent password

      6) Install 'Wordfence' and 'All-in-one security' plugins...they play nicely together. Spend some time going through the AIO security options...that covers most of the obvious bits.

      ...then you should be OK. Now WP is the most popular; which means that it has the most hackers going after it; but on the other hand they do find and sort holes all the time, so double-edged sword there. Nothing is going to help you if you're going to be pissing off state-level players; but the above should be fine for screening out the background radiation of people trying it on just because.

      Wordpress' big advantage is that updating is really easy. Other CMS like Drupal and Joomla you have to take to bits to update; which means you tend to put it off.

    3. Anonymous Coward
      Anonymous Coward

      Re: So: should I choose WP?

      On many hosting platforms, you can configure Wordpress to update the core itself (at the risk of a bad update making the site unviewable.).

      There are plugins like wordfence (free, with premium version) that notify you of the outstanding updates pending, and attempt to restrict some of the password dictionary attacks, and whether your site is being linked to from suspicious sources.

      Plus backups, Updraft plugin is easy to train a non-techie on, but automated versioned backups would be better.

  2. Pomgolian

    Plugin Hell

    As other commentards have pointed out, the Achilles heal of Wordpress is the poor quality of some of its plugins, and they should be avoided like the plague. Non-free plugins in particular are a no-no because often there is no patch available.

    A lot of people mistake Wordpress for a content management system. It isn't - it's a blogging platform. If all you want to do is blog, then it's mostly OK, provided you update regularly.

    If on the other hand you want a full featured CMS, take a look at https://www.concrete5.org. Last time I checked on cve.mitre.org there were barely a handful of issues listed, compared with hundreds if not thousands for Wordpress, Drupal and Joomla.

    1. PyroBrit

      Re: Plugin Hell

      +1 for Concrete 5.

    2. Spudley

      Re: Plugin Hell

      Fully agree with you on the plugins -- it's a major issue for WordPress.

      But my issue with WordPress is that the quality of the core application is part of what leads to these poor plugins. WP core is firmly rooted in the bad old days of PHP, and the plugin architecture is so heavily wedded to some of those poor dev practices that they've never been able to get away from them (If they did, they'd break all the plugins, which would effectively kill the platform. They've got a nasty catch 22). So in order to write a WP plugin, you're pretty much forced into using all kinds of bad practice that can easily lead to your plugin being insecure. It's no wonder they've got such a problem with it.

      No other platform in common use today has anything like this issue. Joomla, for example, has a much *much* better plugin architecture. If your Joomla plugin is insecure, then it's likely your own fault rather than the platform's. Drupal used to have some big flaws in its architecture but D8 has sorted that out... albeit at the expense of trashing most existing plugins (Drupal could get away with it where WP can't because most Drupal sites are set up by competent developers who know how to write their own code rather than relying solely on plugins. It has still caused some pain though).

      Re your flag waving for Concrete: I'm sure it's a good platform, but you can't really claim that it's secure purely based on the count of issues. Joomla and Drupal have a much *much* larger user base, so of course there are more issues found in them. The risk posed by those issues and the speed at which they get them fixed are more important factors. I would also want to look at it's code base and QA process to help me assess the quality of any new platform I wanted to pick up. If its a new platform, I would expect it to be well architected and have excellent test coverage before I even consider it.

  3. Anonymous Coward
    Anonymous Coward

    Good old wordpress allowing people from the print design industry to declare themselves web developers and then sell a piss poor insecure system and then take the money and run without one consideration to keeping things update.

    Dont flame me im not taring everyone with the same brush, but its more often than not the case....

  4. Alan Sharkey

    I do wonder how accurate this test is - Google says that a web site on my Synology box is compromised. I know it isn't - as I have the sources and I know it's OK (it's just a little home site).

    Alan

  5. Mike 16

    Popularity

    It must be popular. When I bother to look through the logs on a couple domains that I keep essentially as archives, the top 10 or so most common failed requests are for URLs that are obviously probing for WP blogs to compromise. Of course none of these domains have, or have ever had, WP installed.

  6. Alan Sharkey

    I doubt it - alanandnorma.me.uk - you check

  7. WibbleMe

    I work in an office where I am the senior technical guy, my job is to set new WP websites live and to make them secure as possible.

    Unfortunately, I work with fucktards that don't bother following procedure, (mainly the bosses son who I would trust to sweep up for a living) it is of no coincidence that all of the sites we have that have been hacked the ones I have not set live are the only ones to get hacked. All our sites probably could be hacked but my doing some basic things called "Hardening Wordpress" such as placing things into the .haccess file and banning .php files from the media folder makes hackers go away and find another easier target.

    So really from my point of view arrogance is the main cause of websites being hacked, I mean seriously all you have to do is install a security plugin in WP to make things much harder, that's like 2 clicks of the mouse.

    I would also like to rant at hosting providers, particularly the large most of the large ones in the UK that sell reseller hosting and charge extra per account for a virus scan. Something that should be a legal requirement.

  8. Daniel B.
    Boffin

    WordPress

    The blogging platform that somehow has been hacked into a "CMS" and it shows. It's the lazy webmaster's solution to "I need a quick web site that looks snazzy".

    The only thing it has going is that it isn't a horrible MS propietary turd like SharePoint.

    1. WibbleMe

      Re: WordPress

      time = money = proffit = real world

  9. bombastic bob Silver badge
    Devil

    hand-coded optimized HTML isn't that hard

    hand-coded optimized HTML (without scripting, even!) isn't THAT hard.

    you can even insert it into El Reg comments...

    I like to use 'tables' to format my web pages. it's clean, simple, elegant, and pretty much universally supported. And it'll force scrollbars if the screen is too small to view the content properly.

    and it might even force phone-viewers to go into 'landscape' mode [which is superior anyway].

    (yeah learn to program HTML, use scp or rsync to transfer things, and stop relying on some 3rd party bloatware to do simple things like html markup)

  10. Milton

    Thanks for the advice

    I was pleasantly surprised to get a worthwhile and topical response to my question "So; should I choose WP?". The Register's BTL community distinguishes itself, so big thanks to 'DaLo', 'moiety' and 'A.Coward' ;-) among others who provided insights.

    My takeaways are:

    * Don't do blatantly stupid stuff (e.g. lousy login/pass combos)

    * Pick plugins *very* **very** cautiously (I'm guessing that for a vanilla blog I can mostly avoid them)

    * "Any public facing box of any kind should not be used in a fit and forget scenario" - which is always worth bearing in mind.

    So far I have done the usually recommended hardenings, and installed and configured fail2ban, which has by itself reduced failed SSH login attempts from hundreds per hour to a handful.

    I think I'll give WP a go, doing my best to learn from others' mistakes, which is so much less painful than learning from one's own .... Thanks again all.

  11. Anonymous Coward
    Anonymous Coward

    Think Server

    I hardened my WordPress website for months and was still getting attacked.

    I got in touch with a managed hosting company who specialise in security called CuroWeb and they told me the best way of preventing getting hacked again was by using better security software on the server itself, everyone trys to harden via WordPress plugins but they just don't cut it.

    I signed up with them and havn't been hacked since.

    A good server firewall, a CDN and on server virus scanning and monitoring beats all the other things you can do hands down I think. I do agree that the basics need to be put in place though, secure passwords for example.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like