'Legacy' Wordpress blog site of The Independent serving malware The Independent has become the latest big-name publisher to serve malware. Trend Micro is warning that the UK news site's Wordpress-based blog section has been compromised. The company says the attack seems to have begun on November 21, with a compromised page serving the Angler exploit kit, taking advantage of visitors with …
Oh good lord. Having a Wordpress site is setting up a gigantic HACKMEEEEEEEEEE sign. Any competent IT person should know that. It's a gigantic complex PHP thing, so it's going to be insecure, and it has tons of plugins which are even more insecure (most hacks are via plugins and themes).
And most of all it is very strongly targeted. The WP PHP code isn't any worse than normal PHP code (it's better), but bad guys keep lists of known WP sites, and as soon as a zero-day is discovered, they hit them. You've got no time to react.
You have to be willing to actively to monitor it constantly or you should just shut it down. Facebook and other big places that use PHP go for the monitor it constantly route, but if you're not willing to dedicate the manpower to it, SHUT IT DOWN or move to something else.
Oh good lord. Having a Wordpress site is setting up a gigantic HACKMEEEEEEEEEE sign. Any competent IT person should know that. It's a gigantic complex PHP thing, so it's going to be insecure, and it has tons of plugins which are even more insecure (most hacks are via plugins and themes).
Bollocks. A WP site is just like any other IT project: install only what you need and not more (plugins as well as themes), and pay attention to the rather good security advice out there. It starts with a good ISP so you don't have a platform weakness (it's still an OS plus webserver stack before you get to WP), then install All In One Wordpress Security and Firewall which gives you a guided tour past all the things you can do to lock it down (and, IMHO very important, explains why), and if you install a plugin that uses Google Authenticator timed passwords you only need to make sure you keep up to date with patching.
And even that can be automated.
It's really not that hard. The hardest work is blacklisting the networks that seem to specialise in supporting script kiddies. I seem to get a lot from OVH these days. On some websites I've installed IQ Block Country and banned the usual suspects (China, Anonymous Proxy, Russia, Ukraine) as that turned out easier than blocking one IP range after another.
As for looking up IP addresses, I have found WhatIsMyIPaddress.com very helpful. I don't run my webserver myself or I would have added fail2ban to the defences, but I use an ISP that runs most of its platform on BSD which seems to be enough to confuse most script kiddies already :). As I refuse to serve advertising (despite many, many "get rich quick" prompts from various parties) I'm also not worried about becoming a malware server to others.
And for the rest I run Joomla :).
Yeah, same here. It's maybe the worst news site I visit - I get video ads you can't even find a "close (X)" button for.
Puts me right off. The Guardian has its flaws, but their site, and even mobile app, is pretty good.
Adverts should NOT interrupt the reading experience and autoplaying videos is a rude no-no, be it content or ads.
I've stopped visiting The Register on my phone due to the autoplaying video adds. Thank you Huawei Spain.
I've stopped visit the BBC news website due to their *seriously* nauseating Microsoft ads on all videos (whoever did that voiceover can not even be fixed with a massive dose of laryngitis and a months' worth of smoking and hard drinking, let alone that it's about Microsoft), but thankfully there is a fix: I have a VPN with London..
I enable ads for some sites as I appreciate they get some revenue for it, but as ads have now become an oft-used attack vector for malware I'm afraid the ad distributors are left with a simple choice: either start screening every ad they distribute, or face the fact that ads will be more and more blocked. It's not like they're short of funds to do it, so there's no excuse.
WP gets the blame, but this is the site owner's fault. Not long ago crufty old Solaris servers with ancient never-patched versions of Apache were the main vector of attack. Now its WP installs whose platform (some version of Linux or Windows), is running the bare minimum version of PHP and MySQL it will run on without patching being served up by an nginx instance whose configuration was cobbled together from disparate forum posts spanning a variety of platforms over several years. Combine that with the changing of the guard at most companies where the rigorous maintenance by experienced sysadmins is giving way to cheap contract labor who don't know the difference between an inode and nodejs, and you've got a prescription for disaster. The PHBs have finally done it: they've broken the system. Looks like "no streaming for old men" in the near future. Good. We need to go back to reading books. All those pop-up ads were giving me a headache.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
