Is it time to remove Hello.php and Askimet from builds?

  • I don’t use Askimet (I am a business and the cost of the service is too high compared to the return).

    I would never use Hello Dolly. Moreover, it’s a pretty common vector for attackers who replace the file with their own content – generally abusing plugins who allow for uploads or similar. I don’t want the files on my servers in any manner, there is no reason to have this file.

    The problem? Every update puts these things back.

    Is there a way for wordpress to provide a “just the core” update for people who don’t want to have these files on their servers? They are not required to run wordpress, they are optional plugins. Why are they downloaded with the core?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Side note here and unrelated to your topic really:

    I would never use Hello Dolly. Moreover, it’s a pretty common vector for attackers who replace the file with their own content

    That would indicate a much bigger problem and that’s that someone’s server or WordPress installation is insecure. Removing Hello Dolly won’t do anything for that situation.

    Thread Starter Another Guy

    (@another-guy)

    Jan, your side note is correct, but…

    Understand that if there is a file that is (a) commonly installed on EVERY wordpress install, and (b) rarely actually used by the sites in question then it’s a perfect file to overwrite when attempting to hack a system. If you get a plug in that allows writing to files outside of the upload directory, hello.php is a perfect place to land your hack – and most people will never check it until it’s too late. It’s in an executable directory, it’s a file that’s always there, and it’s a file that essentially nobody uses.

    Basically, most people would scan your wordpress install and never run across hello.php – so they don’t generally check it for a hack. The result is many hacks are written there.

    Almost everything else in wordpress has a use and is commonly used. This piece of legacy code is unused and not required for a normal install.

    Askimet is more of a question of a commercial service that not everyone chooses to use. It’s a plug-in, nothing more. No other commercial plug in gets such preferential and repeated distribution, and it adds extra code to every download, and extra steps to remove it from every install that doesn’t use it. It also means that automatic updating is NOT an option, as this unwanted payload will be “updated” back onto the wordpress install each time.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Is it time to remove Hello.php and Askimet from builds?’ is closed to new replies.