Crazy April for the WordPress Platform

In case you haven’t been following the month of April has been a bit of a whirlwind for website owners, specifically those using the WordPress platform. The good news is it’s motivated me to start writing again, not so much here but on our company blog. That being said, let me get you caught up on what’s been going on.

Fortunately, it all started off with my presentation at WordCamp Miami, which was pretty awesome I might add.

It really kicked off with the big challenges presented by the apparent abuse of trust that came from the Social Media Widget plugin.

If you didn’t hear, the original developer of the plugin sold the rights to a marketing firm, who then outsourced it to a freelancer. That freelancer then took it upon himself to inject code into the core of the plugin, so when it was pushed to the repository and notified everyone of updates it injected everyone with the payload. Nasty, I know. Talk about taking all the fun out of hacking, boo for laziness, yay for ingenuity. The obvious downside here being the abuse of trust as I just stated, making you wonder what is being done to address that very apparent vulnerability. What do you think?

Then the middle of the month really kicked off with some awesome brute-force attacks.

It seemed to be well coordinated and kicked off by a public note from HostGator that got the entire community fired up, in a good way. For the longest time we have been talking about web-based brute force attacks, and many would argue that it was too unlikely because of the technological challenges involved, specifically network latency. I’d say this was a pretty good example of how little that really matters these days.

The interesting bit of it all was the scale of the attack, but then you started to see all this funny business by security professionals blowing their speculations out of their water. There is a big difference saying that there is a large scale brute force attack going on, something fundamentally different to say there is an attack and they’re aiming to do X, especially without tangible data to back it up. The good news is we were able to capture some good data during that week of attacks that made for an interesting report.

These issues did generate a lot of good content, two posts I particular liked were by Ipstenu and were on False Security and Two Factor Authentication. You should read them.

Then finally, as the month had not just whooped our behinds, two of the most popular caching plugins are found to have a very serious vulnerability that allows for Remote Command Execution (RCE).

What you didn’t hear most WAF companies say is that this attack was particular dangerous because of hard it is to track it, it was exploiting the commenting system built within WordPress and if you have spent any time looking at logs you know that those footprints, for comments, are very small. Regardless, the authors got praise for their response and the person disclosing got flack for disclosing the way he did, which was publicly. On that note, I do caution folks to be grateful he disclosed on the WordPress forums, had he gone underground or disclosed on other sources like SecLists it would have probably been blown out of proportion before it was ever fixed, making for somem sleepless nights.

All in all, as you might imagine, it was an interesting time for all.

Ah yes, be sure to tune in next week, I’ll be giving a live website security webinar with the folks over at ithemes on some of these things.

Leave a Comment