Reply to post: Re: Backend in JS!?

Full stack, C++, and backend developers in demand in this week's job openings

Ogi

Re: Backend in JS!?

>Wordpress accounts for 80% of hacks BECAUSE it is the majority player,

I am not convinced, having in a former (apparently cursed) life, been a web admin for a 100% wordpress webhost, I can assure you that beneath the shiny CMS frontend, wordpress is a horrid insecure mess.

The amount of times I see wordpress do things like "exec($random_byte_string)", or "include $dynamic_path.php" in the code is frightening. It looks like it was programmed by 1st year undergrads as a "learning php" project.

The two things above, coupled with a buggy file_upload.php, most likely results in 99.9% of the hacks on wordpress.

I have seen it, where attackers use a page to send a random php byte string to the underlying exec() function (With no checks or sanitation on wordpresses part), resulting in a compromise.

The other method I have seen them use is to exploit the file_upload.php to upload their own php file, which they then execute by including their PHP in another file with a dynamic include function.

One thing I eventually did was disable exec() in php, which broke wordpress of course. I then went through all of the wordpress code, and rewrote the chunks that depended on exec to make it more secure.

The second thing I then did was make the wordpress web folders read-only to the web browser. This stopped the file_upload compromise. After that we had virtually no problems at all with security.

However, it also meant that (a) you could not install any plugins/themes once set RO, nor upload any files, and (b) some plugins/themes had to themselves be rewritten in order to work without exec.

I maintained this private branch for the company while I worked there, and there were no more compromises (but a lot of moaning from clients for why $free_plugin_X does not work on "our wordpress", and "Why can't I just upload files myself").

The content itself was held in a mysql DB, so once a wordpress site was configured with a theme and media uploaded, the text could be changed by the end user as normal.

So a "secure wordpress" can be done, but it requires a higher skilled developer to do, which is lacking in most of the wordpress ecosystem (especially in the "free themes/plugins" area).

Fact is, even if WP was 10% of the web market, it would still get exploited like now, because their security mistakes are so basic, your average script kiddie can compromise your site.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2021