Too vulnerable to hackers’ attacks

Hi,

we apologize for the inconvenience.

certainly nobody wants this, we wholeheartedly want everything to be perfect but unfortunately as any piece of software , it could have bugs , security vulnerabilities among all kind of different issues

we have released a new version with fix like a week before the vulnerability is published.

we also have server-side plugin for WHM/cPanel, Plesk and DirectAdmin (which are used by majority of hosting providers who use LiteSpeed WebServer) to massive update/enable/disable plugin to sites they host

for end-user themselves , it is possible for them to update multiple sites as well , for example enable auto-update from wordpress , or run WP CLI in bulk across all sites

besides plugin update, we have also published a blog with number of methods to block this exploit from server side , including server-wide RewriteRule , Mod_Security and as well as a new LiteSpeed WebServer with built-in block for this exploit.

and again , we sincerely apologize for this.

Best regards,

That was a quick response. One of the hosting companies I use applied the latest LiteSpeed Cache update across their entire network. I think that was a good decision. But then I had to go through all of my WordPress sites checking everything because this caused compatibility issues (plus other issues which cannot be disclosed here), applying the update to WordPress 4.8.x or earlier as well. If you were to fix vulnerabilities, you should have fixed vulnerabilities in all your previous versions of LiteSpeed Cache for all the previously compatible versions of WordPress, namely WordPress 3.3 or later. In other words, sites running on WordPress 3.3 to 4.8.x were left to die because you did not care about them. After careful consideration, I deleted the LiteSpeed Cache plugin from many of my WordPress sites.

I don’t think wordpress plugin system allows to do that , as maintain multiple releases with minor patches like wordpress core version does, at least I have never seen any plugin does it that way.

as thing moves forward, there is certain functions or code we can not maintain compatibility with older wordpress versions , we also have blog explains for manual configurations to block the exploit if update plugin is not possible.

even WP release page states Only the most recent in the?6.6 series is safe to use?and actively maintained.

we are sorry to see you go , and wish you all the best.

In the meantime, I found one that had been tampered with because the site did not show. LiteSpeed Cache version was 5.4, so it was not updated despite expectations. So I tried to update it but failed. Then I tried to delete it, but I could not. Then I found funny directories in the WordPress, and I investigated them. Those directories were the reason that that website did not show. More precisely the content of them were compatible with the latest WordPress 6.6.1 but not WordPress 4.9.x or earlier. That is how I managed to find that that website was tampered with. If it were running on WordPress 6.6.1, I am quite sure that I would not have been able to find that it had been hacked. The latest version of WordPress is the safest? That depends. Please do not blame me for something like that. I have been running websites for a quarter century. Maybe you could give me that sort of advice a quarter century ago, or even better maybe half a century ago for that matter. Then I may have learned a thing or two.

By the way, you made a poor excuse. You could develop a patch for all older versions and a special installer of that patch. But you just did not do it and decided to leave older websites to die. Since this security issue was so extremely serious, you should have expended all your resources to avoid all contingencies that this may cause. You should not have open-sourced this plugin in the first place as I wrote earlier. It should have been part of the LiteSpeed server software and undisclosed to the public. Then it would be much safer, at least safer than to use the latest version of WordPress maybe.

I am not blaming you, give you an advice or anything , I take it as you are very experienced and skilled site admin, much more than me.

I understand for whatever reason (I’m sure it must be a good reason) that you have to stick to certain/older wordpress versions that makes you unable to upgrade everything to latest version, but one way or another, sooner or later , it could be other plugin, theme , wordpress or server software , that would have similar situation.

I am not saying if latest version is the safest, that was just a quote from wordpress release page as how it encourages to stay up-to-date.

I am sorry if you feel it that way, admittedly, we don’t have that kind of manpower and resources to cover all , and even for what you said , it still requires manual intervention from user or install something by the user , we have already post measures for site owners to cover that, as well as for hosting provider to protect it from server-level

not only to us , but to many developers/companies , it’s kind of impractical or unrealistic to maintain and patch all versions , for example , the famous Windows XP/7/8 among many other softwares , they are still running around , and are now “left-to-die” software with no further support.

WordPress is GPL licensed , the derivative work (in our case, the plugin) will inherit the GPL license as well , to be open-sourced.

it might be “safer” at some sense for close-source , but it could also give the barrier for security researchers to check , review and test it and the chance to help us to secure it.

and on the other hand , the spirit of open-source is what makes wordpress success , or at least a major portion of it.