Latest stable release of WordPress (3.3.1) can be easily hacked?

  • Hello,

    I had a discomfort situation when some of my sites running the latest stable WordPress release (3.3.1), without plugins and the default theme have been hacked.

    My web hosting provider assured me that there is no problem, although he didn’t gave me any hint of how the hack was archived.
    They just send me an FTP lop excerpt –exactly 1 line where the hacker uploads a file via FTP.

    I started a thread in a webhosting forum community and many people there stated that this is normal for WordPress even when the latest stable release (3.3.1) is running with no plugins and the default theme.

    I’m quoting one of the responses.

    Here is how WordPress works;

    1. install WP with Fantastico with no additional security = hacked
    2. install WP with Softaculous with no additional security = hacked
    3. install WP with Softatron with no additional security = hacked
    4. install WP with 75 free themes with no additional security = hacked
    5. install WP with tons of plugins with no additional security = hacked
    6. install WP with the default theme and no additional security = hacked

    It might sound extreme but it’s the reality. The one click installs offer no extra security and basically sets you up like site example #6. I’ve seen on secured WP installs about 300 attacks within 4 minutes that failed…so imagine on an unsecured site, 15 seconds and their in.

    Source

    Thread source

    Is it so easy?

Viewing 15 replies - 1 through 15 (of 21 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Is it so easy?

    *Takes a huge sip of coffee*

    As there are no known security exploits with WordPress 3.3.1 that’s just well, complete nonsense.

    However, I’m describing a stock WordPress installation. Plugins and themes have been exploitable in the past and running any exploitable code on your server makes the whole thing insecure.

    On top of that, some hosting companies simply do not get that shared environments (hosting) need to be isolated from each other and kept up to date with their patches.

    The ones that do not get basic security are walking horror shows and should be avoided.

    Thread Starter aloret

    (@aloret)

    Thanks for your reply Jan.

    Unfortunately the webhosting people don’t want to understand this…

    Unfortunately the webhosting people don’t want to understand this

    It’s true. Unfortunately, they don’t want to see/admit that these vulnerabilities are their own fault. I can’t even list how many hacks I’ve seen now over the years where WP was blamed over and over, and the folks with hacked sites were sent here to find answers… until eventually it was discovered that yes, it was the hosting providers fault.

    I would love for one of these hosting companies to actually provide any sort of proof of a WP vulnerability. Or to take the time to understand the exploits rather than spending so much time blaming WP.

    As @jan explained, plugins and themes can be poorly coded, and can be vulnerable. Old WP installs can also be vulnerable. But WP (current) itself has no known vulnerabilities.

    Have a look at https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

    They said it way more gooder than I could have! Thanks @esmi!

    Gooder isn’t a word. Try using Better instead.

    Also – you sure you just werent using a dippy password like “password” or the default “pass”? with username “admin”

    Thread Starter aloret

    (@aloret)

    Also – you sure you just werent using a dippy password like “password” or the default “pass”? with username “admin”

    Hi gladwda,

    I’m always using random generated passwords with length >16 chars,digits,symbols

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Gooder isn’t a word. Try using Better instead.

    Better definitely would be gooder by alot and that’s a grate right up. ??

    Gooder isn’t a word. Try using Better instead

    Ah… and therein lies the joke eh! It’s subtle, I admit! ??

    Hi folks,
    I’ve not yet seen this behavior regarding WordPress 3.3.1
    Installed and fixed many hundred WordPress sites this year. And when I stepped into the crime scene it became fairly obvious how the site(s) were hacked (passwords, running 3.04, etc.).

    I’ve yet to see a new installation with standard plugins and proper password(s) hacked.

    So not really sure where the basis of this article comes from, other than possible fear mongering or frustration on the writers part.

    As for Securi article linked above, not really worth reading. I’ll sum it up in one phrase: “if you leave your spare key on the concrete under the fake rock near your front door do you really think you are fooling anyone…”

    That said, and respectfully speaking, just because I haven’t seen it does not mean it does not happen. Just saying…

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    *Opinions expressed do not reflect upon anyone else and are completely my own.*

    So not really sure where the basis of this article comes from, other than possible fear mongering or frustration on the writers part.

    My guess? Sheer intellectual laziness on the part of the person who wrote that original post on that other forum. Tossing stones is much easier than fixing problems.

    As for Securi article linked above, not really worth reading.

    That is so not true.

    WordPress has a perception issue regarding security. Suggesting that WordPress users read up about this topic combats the number one issue: a lack of understanding and education.

    That link (and others) is a good start. I hope the less informed WordPress users read that and ask themselves “What does it all mean?” because that can lead to people learning about this topic.

    There are many good places to get educated about this. As self-hosted users begin to get a better handle on it all, that leads to a better environment for all WordPress users.

    Here’s another good read too along the lines of not leaving your key under the door mat.

    https://www.studiopress.com/tips/wordpress-site-security.htm

    That said, and respectfully speaking, just because I haven’t seen it does not mean it does not happen. Just saying…

    I haven’t seen little Green Men from Mars either, but I’m not holding my breath. ;D

    There may be a not yet discovered vulnerability in any release of any software and WordPress is not an exception to that. As long as it is responsibly disclosed and reported then it remains a managed risk.

    *And Jan now relinquishes the soap box.*

    +1 link Jan, and must more relevant to the matter at hand. I’m a big fan of the Studiopress folks as well. Good peeps over there; a lot more security minded than many of the other theme vendors I’ve had to tangle with this year.

    It’s true. Unfortunately, they don’t want to see/admit that these vulnerabilities are their own fault. I can’t even list how many hacks I’ve seen now over the years where WP was blamed over and over, and the folks with hacked sites were sent here to find answers… until eventually it was discovered that yes, it was the hosting providers fault.

    I would love for one of these hosting companies to actually provide any sort of proof of a WP vulnerability. Or to take the time to understand the exploits rather than spending so much time blaming WP.

    Hey everyone. I’ve always visited here but never took the moment to say hello…HI!!!

    To answer this comment, I host a lot of WordPress sites and mainly focus on them from previous design jobs. I don’t take the time to blame WP, I take time to make it better. Almost like a cake…we don’t eat raw flour, or cups of sugar and so forth, but together it makes a nice cake. Just like what The Hack Repair Guy said…you leave a spare key by the door, expect your house to be broken in to….which is the same example I gave to aloret in the other thread.

    Now for aloret…all your currently doing is confusing people with your story, twisting your words bewteen different forums (while using my words to fuel your confusion), and not taking any responsibility for your own actions. Both forums have said the same things to you, so now I’m not sure if anyone knows what your point is. You even listed an article that supports what some of us have been saying to you. WordPress is great and like many great things comes negatives, so to think nothing will ever happen to you in unrealistic. All any of us have said to you, to users, to designers, to hosts, is to understand how it works and protect it instead of waiting for something bad to happen and point fingers at everyone in different forums.

    I can show logs of WP sites that get hammered by auto-hack type scripts and fail because the proper measures were taking. We can only go by what you wrote since none of us have seen your installation to prove that you did everything you could to keep hackers out and failed. How do we know your not one of the thousands of people that still use admin as a user name.

    Amen brotha!

    I’ve just been hacked on the latest WP, on a non shared web host. The hackers have taken down my site, sabotaged the comment notification emails that WP sends me, which links to a hate url, they have blocked my login to my WP admin AND hacked into my web host so i could not even log in to cpanel!!!
    My web host is currently doing a trace.
    But WordPress needs to know about this too. How do I tell “them”?

Viewing 15 replies - 1 through 15 (of 21 total)
  • The topic ‘Latest stable release of WordPress (3.3.1) can be easily hacked?’ is closed to new replies.