WordPress ‘security issues’ – help please

well you are wrong on at least one count.

there are plenty of serious hacks out there for countless versions of wordpress, and its naive to think that more wont surface (honestly).

frankly, if someone didnt feel comfortable using wordpress, i wouldnt push it — but i would be sure to point out that all of it’s PHP based competitors are equally vulnerable. Its the very nature of using code that dynamic.

As a non-techie (although I’m not completely illiterate) that’s not what I wanted to hear. Essentially you are saying that WordPress is much more vulnerable to hacking than, say, a site built in good old, old fashioned, HTML, right? Avoiding WP and other PHP based platforms would be a good idea if you are concerned, say, about pornographers substituting their images for yours?

If so, this is not good news. Examples of actual hacks, anyone?

Essentially you are saying that WordPress is much more vulnerable to hacking than, say, a site built in good old, old fashioned, HTML, right?

Much more? NO not quite. I am saying that it is though, and thats the nature of PHP. PHP is dynamic language, HTML is not, thusly, you have not only the various issues that pop up with PHP itself, but with WordPress, and more so, with it’s plugins.

Anyone, pretty much, can write a WordPress plugin. That’s a double edged sword, since not everyone knows how to write ‘good’ PHP.

PHP, by the way, isnt alone with this problem, Coldfusion can be equally insecure. So can Perl. (just 2 that come to mind)

HTML sites can be exploited; the available points of entry are just decreased, since PHP isnt involved.

Avoiding WP and other PHP based platforms would be a good idea if you are concerned, say, about pornographers substituting their images for yours?

Uh, thats a very bizarre question.

Examples of actual hacks, anyone?

What do you need examples for? And of what? pornographers replacing images? If you are interested in getting a feel for what is already out there.. just take a look a look at any of the major security sites. Or how about this?

Essentially you are saying that WordPress is much more vulnerable to hacking than, say, a site built in good old, old fashioned, HTML, right?

Well, yes. Any site using any form of dynamic page generation is going to be more vulnerable to being hacked than a purely static site. Because a purely static site isn’t running any executable code. Code is always more vulnerable than non-code.

However, managing static sites is basically impossible above a certain size. No real website on the internet above the “home page” level is statically driven.

WordPress tends to get more press when it (or more often a third party plugin) has a security issue. This is a function of popularity, not how secure it is. Security is not a simple thing that can be easily measured like that, it is a complex function.

Examples, whoami, because if the outfit that’s persuaded the organisation that prompted all this not to go with WordPress because it has security vulnerabilities were able to give them actual examples …. do I really need to finish this sentence?

My question may seem bizzare to you but one of the WP sites I run is for the parents’ association I chair at my son’s school. If it was hacked by a pornographer it would be bad news. Can you see that?

Thanks Otto: useful points.

Ah, I think I can see why you’re confused whoami. Didn’t spell it out for you – what I should have said was ‘examples of any sites that have been hacked successfully’, not the actual hacks themselves. Apologies. Know of any, particularly high profile ones?

There are lots of hacked WordPress sites out there (mainly old versions, the current version is pretty secure). I saw church sites stuffed with hidden viagra links.

You can pretty easily locate such hacked sites (with hidden spam links) using Google searches.
Try this search: “powered by WordPress” “powered viagra wordpress”
Not actually high profile ones but you get the idea. (I remember similar problems with ZDNet blogs). Note, some of the site you see in the Google search results have been cleaned since, others are still infected.

Other types of hacks are more difficult to locate.

Andrew. Many, many, WP sites have never been hacked (such as mine). You have to have a good luck at security to avoid being an easy target. Hacked sites ARE usually easy targets because they use old versions with known holes, they use “admin” as login and “password” as password. Give away their plugin information, etc., etc., etc.

And for your piece of mind, I have NEVER seen a hacked WP site with porno on it. A hack usually means hidden spamlinks or redirects to commercial websites. Have a look around the forums for “hacked” and you’ll find many of the examples you are looking for. The reactions of several persons who also answered in this thread, will be telling enough to assure you the hack is not simply a problem with WP, but of its user.

this is such a useless conversation — not because there isnt much to talk about — but because there are inherent risks with being alone. Period. Every protocol has a weakness. Nothing is completely secure.

If there is that much ‘anxiety’ associated with having a web site online, then honestly, I recommend not having one, or having the most basic of setups — even if that means static HTML pages.

Well, thanks again whoami. We all construct our own realities.

I think you’re getting a little over excited. There isn’t ‘that much anxiety’. What there is is an organisation I know which doesn’t know much about the web but wants a new website. Someone has persuaded them not to use WP by saying that WP based sites are much more vulnerable to attack than other sites.

The organisation in question knows very well that all websites are vulnerable. This one – https://www.westberks.gov.uk, which is owned by another similar organisation in our area, was the subject of a serious attack one weekend a couple of years ago when it was diverted onto a page in Eastern Europe). Thankfully it was a rather innocuous ‘Hey look what we did!’ page but it could easily have been otherwise. The issue is not either/or, website or no website, is it? I’m sure you understand that. But as you think this is a useless discussion I guess you’re not reading this, and that’s fine too.

If you’d like to comment on the issues that raises for WP, great, but it’s pointless commenting on how useful or otherwise this discussion is for you. You live in your world and, thankfully having seen your photos of St Pauls, I live in mine. I seriously hope things over there improve soon. Frankly, the way things are going, that’s unlikely.

Thanks useshots and gangleri. I’ve actually persuaded the organisation in question to use WP for another smaller website – it’s related to a project they are running. The real problem is that they didn’t have time to think properly when they were evaluating the bids to rebuild their main website – and because of that they didn’t ask questions like this.

I sat down with them and said ‘Now, this WP security thing..yeah, its vulnerable, but so is everything else and WP are a big, multi-million dollar organisation who are very keen to ensure they stay that way, so they’re very keen to keep their system secure..you remember the https://www.westberks.gov.uk incident? … well the lesson from that is that whichever path you choose, you need to stay on your toes..’

They said, ‘Well, all that seems to make sense…ok, let’s do it’. Happy ending. I hope.

I have 14 WP sites registered, 3 of them are very active and I’ve been using WP for 3 years without being hacked and without even receiving any sucessful comment spam. It’s not me that’s worried: my original posts here were from the client’s point of view.

All you can do is attempt to limit the potential for hacking. Make sure your server itself is secure. Run up-to-date versions of PHP, etc.. (Remeber that a lot of web-based hacks will use the front end to exploit a hack within other software). Limit access to your site through firewalls, .htaccess and plugins like Bad Behavior to act as a front line defence.

Stay up-to-date with WordPress releases, and disable functionality that you don’t use (xmlrpc for example.) Make your content paths read-only if you are not changing templates.

If you follow all that, then your site will be as secure as it can be, which is all you can offer really. If the site is high-profile enough, some script kiddie will have a go at it.

I have been very interested in some of the security issues discussed here. Mine concerns unwanted posts on an interactive site using PHP script. I had the site created by an expert who now fails to answer my texts and e mails and I am totally non expert in PHP myself.

Initially I was getting between 60 and 100 unwanted posts a day advertinsing trading or pornographic websites. Then I discovered Word Press’s wonderful spam guard and I am free of the posts at last. However I recently discovered that when I go to edit my home page and go into “code” setting there is code there very similar to the posts I used to get. I delete it each time I find it but I would really like to be able to block it so that it doesn’t get on to the site in the first place. When the multiple posts were coming in the site was black listed by Google and other search engines and I do not want that to happen again.

Grateful if anybody has any advice that might help me here.

Grateful if anybody has any advice that might help me here.

rather than my regurgitating whats already been written, you might want to read through these:

https://www.ads-software.com/search/hacked?forums=1

theres a good deal of useful info already out there.

Thanks for tips. I changed password as recommended and the problem has not recurred. Thanks