back to article Time for people to patch backup plugin for WordPress

If you're using the UpdraftPlus WordPress plugin to back up your systems, you'll need it patched – or else risk sharing your backups with strangers. The UK-based plugin producer warned customers on Thursday to upgrade to version 1.22.3 of the code after Marc Montpas, a security research engineer at development house Automattic …

  1. pavel.petrman

    The backend version of Flash

    Am I the only one who feels Wordpress is the backend version of Flash, regarding reliability and security? Very very popular, seemingly irreplacable, fit for many purposes (and used for still more outside that category), brought to life mainly by absence of any better alternative (PHP being virtually the only language availabe everywhere on the cheap or for free) and so on.

    Let's hope that the recent huge increase in availability of alternative runtimes - today, one gets a VPS or a cloud node for less than a PHP hosting instance ten years ago - will help us repeat the glorious fate of Flash on the backend.

    We'll know we are there when the number of vulnerability scan requests targeting Wordpress will get from 90% to 9% on quiet webservers.

    1. Anonymous Coward
      Anonymous Coward

      Re: The backend version of Flash

      Oh, it's not impossible to keep it safe, as long as you do not try to go beyond what it was originally intended to be: a brochure site or at most a blog.

      For serious work you'll quickly end up with Joomla or Drupal, simply because you don't need to bend the site completely out of shape with plugins to make it do what the latter two have simply have as built in functionality.

      I have a brochure site up that uses Akeeba for backups (which even does a quick sanity check and yells at you if you leave something unsafe), but I found their Admin Tools less useful on Wordpress - it's very good on Joomla, but I find the functionality of All in One WP Security a bit more to my liking.

      The very first thing you need to do with any website is to set up 2FA, and change the admin URL (AIOWPS does this) or add a keyword to the admin page (the Akeeba Admin Tools approach). Best make sure the 2FA query is one step (i.e. a window asking user name, password and 2FA) as a two step (asking the 2FA later) allows a tiny wondow for dictionary attacks. And, of course, never use "admin" as admin logon but it's nice to see that any security tool will grumble at you for that.

      Anyway, yes, a dodgy plugin can leave the site wide open - even if it's not activated.

      1. Slipoch

        Re: The backend version of Flash

        Joomla is actually one of the most hacked CMSs. Wordpress accounts for ~60% of the CMS market, but was 90% of all the compromised sites, Joomla accounted for <1% of the CMS market and yet was hitting around 2-4% (depending on year) of hacked sites.

        I used to support industry sites using Joomla, it's not a professional platform, it's more like a website focussed version of wordpress with a better BE.

        I would avoid Joomla.

        1. Anonymous Coward
          Anonymous Coward

          Re: The backend version of Flash

          We've got it reasonably tied down, but that's probably also because we stay with its original intent and use very few add-ons, and tend to start with site security before we do anything else..

    2. Slipoch

      Re: The backend version of Flash

      Yup, also for usability, flash was a mess of different ideas as is wordpress, not to mention the auto-updates were caught installing the infected package updates from NPM.

      The usability for the end-client is also shite.

  2. DJV Silver badge

    "Microsoft's platform has been spreading malware"

    Yeah, they've been doing that for years - it's called Windows!

  3. NoneSuch Silver badge

    "The advisory recommends only one type of password, Cisco's Type 8, which uses either Password-Based Key Derivation Function version 2 (PBKDF2), SHA-256, an 80-bit salt – one NSA wit described it as "what Type 4 was meant to be," in the document."

    So how secure is Type 8 if the NSA says to use it exclusively.

    It's like Casanova recommending a particular brand of chastity belt for your wife.

    1. emfiliane

      The NSA does have a vested interest in counter-intelligence against international adversaries, particularly now that we're at the door of war with one and have been on the threshold of another for years. They would much rather not have our secrets leaked out to *all and sundry*, even if it means it might be a lot more difficult to get whatever they want when they want.

  4. emfiliane

    It's weird that deblurring papers are even mentioned anymore, that's been a thing for 20 years, it just gets a little faster as tech advances.

    I have this matrixy filter thing that makes pixels fall randomly with a random length and separations. It looks pretty and it's not a linear convolution. It's linear convolutions that screw you. Gaussian blur is not your friend.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like