back to article Put down the coffee, stop slacking your app chaps or whatever – and patch Wordpress

Internet scribblers who use WordPress must update their installation of the publishing tool following the disclosure and patching of six security holes. Version 4.7.3 of the content management system includes fixes for the half dozen flaws that could allow for, among other things, cross-site scripting and request forgery …

  1. frank ly

    All plugins?

    Were all the security holes in WP plugins? I remember reading comment that WP itself was good at security but needed plugins to make it do things that most people wanted it to do.

    1. knottedhandkerchief

      Re: All plugins?

      No, this is core. WP plugins are updated by their authors and have their own updates. They can vary enormously in their quality and maintenance.

    2. wolfetone Silver badge

      Re: All plugins?

      "I remember reading comment that WP itself was good at security but needed plugins to make it do things that most people wanted it to do."

      Sort of right, but not about the security aspects of WordPress.

      It's a blogging platform that is used to base a website off. It's just you need to ply it with plugins to get any sort of proper website functionality in to it. Like knottedhandkerchief said, the plugins vary in quality and it's been known that security holes can appear on these plugins. The developers may publish an update to fix it, but the badly kept secret is that most of the people with these WordPress sites don't update the plugins or the core WordPress installation itself.

      I inherited a project about 6 months ago which still used WordPress 2. It hadn't been updated at all, and when I pointed it out to the owner they didn't know it needed updating. They thought it was something the previous developer had taken care of. So there are a lot of people in the web design/development world that are promising clients the world and leaving them with a castle of sand in all honesty.

      For most applications, WordPress isn't even needed. For a mom and pop business that has a website with a few photos and pages, maybe a contact form, it could very easily be pumped out and delivered in just pure HTML with some PHP (other server-side scripting languages are available) and left to do it's thing until the end of time. There are clients who have heard about WordPress and want it, even though they don't need it and are billed accordingly. But there are also agencies who push WordPress on to the client as a "value added" thing. "Oh with WordPress you can change the content yourself!". That's all well and good, but will the owner actually update the content or actually know how to?

      I need to get out of web development, I've become far too cynical about my peers.

      1. Anonymous Coward
        Anonymous Coward

        Re: All plugins?

        No, WP itself is bad at security, and the plugins are horrendous.

        The whole ecosystem is a hopeless mess. It cannot be saved.

  2. AMBxx Silver badge

    Seems painless enough

    Just updated. Took no time at all and everything seems to be working.

    Still find it hard to believe that Wordpress is so full of holes.

  3. PM.

    Again ?!

    oh boy

  4. Anonymous Coward
    Anonymous Coward

    Wp wp wp...

    Noticed WP on full disclosure a few days back now, slow to the table el'reg?

    I had to deploy WP for a client, and someone in HR absolutely insisted it was WP despite not wanting comments etc, so I set it up that the "WP" site in production was a flat static copy of the dynamic one on a local private to them hosting server, and a push mechanism to push new releases when things changed. They still got their clicky familiar cms, I still got to sleep.

    Experience suggests this has been a good idea... 35000+ hits to a non existant wp-login.php in the past few months, loads of bots trying xmlrpc.php, wp-json etc, the full gambit of exploitable vectors in fact. Yes it could be patched up to the eyeballs constantly but only one attack has to get through...

    1. wolfetone Silver badge

      Re: Wp wp wp...

      They only have to be lucky once, you have to be lucky all the time.

  5. Elf
    Gimp

    * WordPress is a Content Management System, not a "Blogging Platform". That role changed a decade or more ago and perception is very much behind.

    * It is the Big Round Button of CMS (I prefer Drupal for my stuff, but WP is good for lots of stuff too) and yes it is intended for Users to be able to publish things. It works like Word, on purpose. One would think people could deal with that (mileage may vary).

    * WordPress, like all complex software, has bugs that need patched and LO! The maintainers recognized and patched vulnerabilities... ungrateful bastards.

    * WordPress sites are quick and easy and Cheap to deploy. Shady designers not withstanding, a CMS is a Framewotk... and PHP/HTML just doesn't cut it in this Modern World. No, just stop. Mobile themes, social media integration, you can't do it effectively is just raw HTML and if you're not using modern tools, the site is junk, deploy is crap, and the client losses. I hear "Hard Code the site" and think "FFS, just get a Yellow Pages Ad" I'm an engineer, so could really care less, I am right however.)

    * Software Needs Updates. Let us not blame the CMS for not being regularly updated. Let's take a user pool of End User devices (laptops, mobes, fondle-slabs) that aren't up to date and then blame the vendor. That's right brilliant, that is. Pummel the user for relying on tech and not taking an interest in keeping it running smoothly...Per Usual.

    * This Major Revision of WordPress will update Core on it's own a few hours after a Cute update is released. It's been this way for this Major Rev Precisely because... users.

    * Plugins, themes, database stuff can all be diddled with a really great tool called wp-cli that, as it implies, is a CLI tool that can be used in scripts and mashed into cron. Naturally this requires something other than $5USD "Budget" hosting. (Same problem with Drush and Drupal... crap hosting is another user problem.)

    I have little love for The Web, but let's all settle down on patches *being available*, that's just silly.

    +The Gimp, because my girlfriend is a designer that hosts some 30 instances of WordPress for her clients on servers I lovingly care for, with a nimble Apache, hand rolled PHP, Redis object cache, the afore mentioned wp-cli, and intrusion detection... if I like not sleeping with the dog on the couch.

    1. Anonymous Coward
      Anonymous Coward

      Why does a static copy of the site have to not have any php or javascript on it? we're talking about taking a copy that exports the javascript as presented to a client, so that it can't be altered and the client gets the same experience, not removing all the widgets and functionality.

      There is even a plugin to generate this copy already available..

      https://wordpress.org/plugins/simply-static/

      Best stick to yellow pages if I were you.

    2. wolfetone Silver badge
      Pint

      "WordPress is a Content Management System, not a "Blogging Platform". "

      Er, no. It's a glorified blogging platform. Always was, always is, always will be that. Next you'll tell me Facebook is a news site as it gave up the social networking thing years ago.

      "* WordPress sites are quick and easy and Cheap to deploy. Shady designers not withstanding, a CMS is a Framewotk... and PHP/HTML just doesn't cut it in this Modern World. No, just stop."

      No. Unless your client specifically requests to be able to change their own content, WordPress shouldn't be provided. Google doesn't give a damn about runs your website. It's the content, the page speeds etc that matter.

      I can't argue with your other points because they're right. I will, however, make this point: if you, as a business providing a WordPress solution for a paying client, are not going to proactively update WordPress and it's plugins for the client then there is absolutely no point in providing it in the first place. Unless, of course, you wish to add that as a service you provide to the customer as a means of extra income. Then fair play, but I'd question the morality of it. Given that you know WordPress is a target, is always attacked, and does require updates etc, are you doing your best as a developer or a designer by your client by providing WordPress as their solution?

      I know you, @Elf, are proactive in caring for the instances your better half is in charge of, but you are in the minority. There are plenty of hosting providers, agencies who don't care what happens to a clients WordPress site unless you pony up the dough for them to help protect the site. I think that's completely wrong, as when the site is built you know WordPress is going to be attacked and exploited and you're providing the client with something that leaves their business open to risk that could be avoided.

      But, have a pint. Because at least you're doing something to protect those clients.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022