undefined | Better HN

0 pointseugenekolo210y ago0 comments

I'd call it a combination of it being extremely popular (attackers want it), minimal technical competence, PHP, and a history of really bad bugs.

0 comments

3 comments · 1 top-level

spoiler10y ago· 2 in thread

WordPress in itself isn't that unsafe; they are pretty diligent in fixing bugs and security issues. However that is not true about plugins, themes, various theme/plugin frameworks developed for WordPress[1], or custom-tailored things[2]. Also, we must factor in the end-users lack of technical competence[3].

Source: I work for a hosting company with lots of WordPress sites.

[1]: In my experience, there's lot of purposely back-doored, or easily exploitable themes and plugins. Also, let's not forget that users and/or developers often get these illegally (without even knowing they did it; it happened a few times).

[2]: The entry barrier for PHP/WordPress is extremely low and many of these developers are beginners and lack even basic understanding of security or even how things work; they base stuff off from an overly-simplified tutorial written by someone only slightly more experienced than they are. There are also inherent language and CMS issues here, but I won't go into those.

[3]: We actually have users who don't to update WordPress or any of the plugins for ages. AGES! The other day, I had to argue with a client why having a WordPress version from 2006 (something from the 2.0.x release series) is a bad idea. This is either because the developer stopped supporting and abandoned development of some component their site depends on, or because of legacy custom-tailored code that was a once-off purchase.

teh_klev10y ago

As a fellow shared hosting engineer I pretty much agree with [1] and [2], and for [3] I also feel your pain, but we don't mess about any more arguing the toss.

We now scan for egregiously out of date WordPress installs and warn customers that their site will be at risk of being disabled if they don't upgrade to the latest version. If after a couple of days we see no action then we pull the site.

If we detect sites serving dodgy links then they're instantly shut down until the customer can prove they've secured the site.

In 99.9% of cases our customers are happy we do this because they're mostly businesses and serving malware damages their brand and reputation. We do get the occasional user who refuses to co-operate, and if they do we serve them notice to take their business elsewhere.

spoiler10y ago

> If we detect sites serving dodgy links then they're instantly shut down until the customer can prove they've secured the site.

We have a similar approach to this actually. The exception being that we clean the malware ourselves, sadly. I tried to say is a bad idea multiple times, but no luck. What makes things worse, we have a few "spoiled" clients that keep getting their websites hacked (there's 3 such WordPress and Joomla development resellers) and they started expecting us to clean their websites. Sigh

Also, I tried to argue a few times that we do the scan-and-warn thing, but I got turned down with the counter argument that it would generate more backscatter on our support department than it would be worth it.

j / k navigate · click thread line to collapse