WordPress-powered sites backdoored after FishPig suffers supply chain attack It's only been a week or so, and obviously there are at least three critical holes in WordPress plugins and tools that are being exploited in the wild right now to compromise loads of websites. We'll start with FishPig, a UK-based maker of software that integrates Adobe's Magento ecommerce suite into WordPress-powered websites …
Saying in this case Wordpress is the issue is just like saying that the Linux server under it is the issue because it lets the malware run. Would you blame Linux if one day someone compromises a widely used package and it gets installed by many? Evidently if a software you download has been tampered with there's little you can do - maybe now an AV is needed on Linux too?
The issue here is today most software if a merry-go-round of too many modules fetched here and there. And not all of them are protected adequately.
> Saying in this case Wordpress is the issue is just like saying that the Linux server
> under it is the issue because it lets the malware run
Not really. Linux is an operating system. Its job is to facilitate running applications.
Wordpress is a blogging platform. In what sane world does it -- let alone its plugins -- require the ability to download and execute arbitrary native binary code?
-A.
What's the difference? Linux is a platform to run Linux executables - Wordpress is now a platform to run web applications - it's really no longer just a blogging platform. So it needs to run need also to download and run code - just like Linux does with packages, or the only way should be to download the source code and compile it? How many "applications" today download a large amount of code from remote repositories, and run it?
Then why PHP has functions to run arbitrary native code? Why the web server allows a process to run an executable? Why Linux allows to run any executable regardless of its source?
One day a supply-chain attack will be able to compromise a Linux package also, and it will be fun to see what some people will write....
And sure, you can write your web application from scratch - it will be any safer? Maybe after Composer downloaded several packages to run it? Or are you manually managing each dependency?
You'll notice it's the plugins, not Wordpress itself that's the issue. It's a bit like saying Adobe PDF Reader vulnerabilities are Micros~1's fault because they wrote Windows.
I use Wordpress for several sites and don't use any of these three plugins. Am I safe? Probably, but that doesn't stop me keeping a sharp eye on things in the same way any sensible sys admin would.
The problem with WP is that it's not a traditional sysadmin type who looks after it - that's why it's popular.
My wife has a WP site, but there is NO way that she can be a sysadmin, or do even the slightest sysadmin things.
It updates itself for minor upgrades, but the plugins used - don't - and she doesn't proactively check what updates are available either.
Reason? She's not a techy (though I am), and she fears breaking the website.
That doesn't mean you don't need a webmaster to look after it. All these tools have been designed to decouple the system administrator from the web administrator.
It is true that WordPress is easier to setup up and manage than other CMS like Drupal or Joomla. Sure, for example to update Drupal you need system access to run Composer, or you have to copy files manually. Is that better? I don't believe so. Most "sysadmin" will just run the prescribed sequence of commands and that's all.
You can start from scratch using a basic framework like Laravel or Django - but you'll need a skilled developer to write the whole application - and if you need to add features like online payments is not simple at all. And screwing up could be costly. Then you need your repo/CI/CD system to take care of code and deployments. Sure, there's GitHub - but maybe you don't want to publish your code, so you'll have to pay that too. And maybe the developer will leave there private keys...
Many users are small company that may not be able to afford that all - and badly written web site are not better than badly written plug-ins.
> Reader vulnerabilities are Micros~1's fault because they wrote Windows
To an extent they are. Why does Windows let Reader do things that are entirely unrelated to puttinga document on screen and printing it?
But I'm happy to let it stand at this: it's Micros~1's fault because they wrote Windows.
-A.
entirely normal to go download server code from some random website.
It's not a random website though, is it? Wordpress is used on something like 450 million (and counting) websites. Most people who install it get it through official channels... not some dodgy, modified third party build.
Open source advocates are keen to say that bugs get found and fixed quickly. So as long as that's true - and people are patching their installations - there can't be too much of an issue, can there? Certainly no more so with Wordpress than any other open source piece of software.
The issue isn't wordpress though. It's the plugins, which are so easy to publish that the authors don't need much skill and thus the code quality is sh*ahem* poor.
That also means that there's so many of them with relatively low usage that the code doesn't get analysed by people who know what they're doing. Popular plugins will get scrutinised, but not the other 99.9% of them.
This post has been deleted by its author
"FishPig said affected customers can also reach out for "a free clean up service for anyone who is worried that this is affecting their site and needs help to resolve it."
hahahahahahaha
As if I would let then into the root of my site *!
Their InfoSec is not exactly trustworthy at this point although I suppose for some WP "admins" this might be welcome
( * If I was dumb enough to run Magneto as a WP plugin)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
