Cache Out

Cache Out

Everybody likes cache. Specifically, caching plugins like WP Super Cache and W3TC which help WordPress sites load faster by serving up static HTML versions of pages instead of dynamically loading them each time. And we know everybody loves them because they have been downloaded almost 6 million times. That’s a lot of cache.

BUT. Turns out? There’s a bit of a problem. According to Tony Perez, half of WordPress security Top Dawgs Sucuri:

two of the biggest caching plugins in WordPress have what we would classify a very serious vulnerability – remote code execution (RCE), a.k.a., arbitrary code execution

Tony goes on to demonstrate how on sites running either plugin, a line (any line) of php code in the comments section would actually execute. As in, run. As in, that’s totally not supposed to happen.

The plugin authors responded fairly quickly to the news and released plugins with a fix.

So! If you happen to have either of those plugins installed, get the lead out. Update. Now.

When you’re done you can go back to wondering how these two mega-plugins BOTH missed such a considerably large hole in their code.

A Good Take on the Bots

A Good Take on the Bots

This article on ZDNet makes some great points … namely that WordPress’ very ease-of-use is why it’s a security threat:

WordPress’ big selling point is ease of use. That means it has massive appeal right at the bottom end of the market.

Down at this level, even in 2013, websites are usually little more than static brochureware that gets updated rarely, if at all. With nothing to change, the sites’ owners don’t log into WordPress, so they don’t see the software upgrade notices. Or if they do, they don’t know what they mean.

This is where businesses are reluctant to spend even a thousand dollars on a site, so asking them to fork over more money for “maintenance” is a waste of time — what visible difference does it make?

Besides, they’ll say, they have someone who “takes care of” their website.

That someone is generally a “web designer”, not a developer. WordPress has been a boon for them. Its multitudinous free or cheap themes and plugins make it possible to build a decent website with plenty of functionality without having to dirty their hands with actual code. Or dirty their minds understanding it.

Forgive me, for I’m about to commit the sin of extrapolating from personal experience, but in nearly two decades, I have yet to encounter a “web designer” with halfway-decent security practices — by which I mean creating a different login for every human rather than a generic “admin” account, creating strong passwords, not reusing passwords, deleting unused accounts, and not blithely emailing a business’ master internet hosting password to any sub-contractor who might need momentary access.

Indeed, many of those I’ve encountered have deliberately set the WordPress admin password (or its equivalent in pre-WordPress days) to be exactly the same as their client’s hosting account master password, their domain registry password, the login on their PC, and everything else in sight to “make it easier” — because that gets rid of those annoying “I’ve lost my password” support calls.

WordPress is now the tool of choice for these people, and they’ve built millions of WordPress websites.

PREACH.

Source: http://www.zdnet.com/wordpress-attack-highlights-30-million-targets-7000014256/

WPMU wants U

WPMU wants U

In the era of free journalism, WordPress tutorial website WPMU is bucking the trend … they’re not only seeking writers, but they will pay said writers. Up to $500 a post. Well, $500 if it’s truly epic:

We’ll pay you:

Truly epic isn’t the most descriptive term, but the truly epic article they link to–Sibohan McKeown’s “Why You Should Never Search For Free WordPress Themes“–is pretty classic. And it has almost 18,000 incoming links. Which is also pretty epic.

They don’t just promise money, though, they’re offering fame too: They tout Sibohan’s recent acquisition by Audrey Capital as one of the reasons you should totally write for them. And hey … they do index well!

Image: WPMU offices in Melbourne.

SWARMS of ZOMBIES!!

SWARMS of ZOMBIES!!

The WordPress SuperBot/BotNet Attack has been getting a LOT of attention in the press, both tech media and regular ole’ normal-people media. The headlines range anywhere from the benign:

WordPress Hackers Exploit Username ‘Admin’

to the apocalyptic:

SWARMS of ZOMBIES unleashed on innocent bloggers

All hysterics aside, this story has been getting some serious traction. When Matt spoke out about it, it generated a whole new swarm of stories. it would be tedious to compile all the articles chronicling the hack, but below is a ongoing collection of the best:

Image: ZombieBots by MaskedRabbitCrafts

 

DROID.

DROID.

WordPress is making good on its mobile app improvement promises! The new WordPress mobile app for Android is here! It’s for both WordPress.org and WordPress.com users and it’s a BIG update.

From the changelog:

It’s the big UI update!
* Action Bar added for easy access to common actions.
* Use the Menu Drawer to quickly navigate to other areas of the app. Just tap the arrow in the Action Bar or swipe to reveal the menu.
* Holo style used throughout the app.

There are new features, too!
* Use the ‘View Site’ feature to view and share content on your site.
* WordPress.com users can now view the web dashboard (wp-admin).
* The WordPress.com Reader now takes advantage of caching for faster loading.

Some reviews are reporting bugs in the update, but it’s too soon to tell if those concerns hold merit.

Screenshots from the WordPress app in the Google Play store

 Image: WordPress and Android from compixels.com

 

 

Matt weighs in on the SuperBot

All this talk about a SuperBot!

Here’s what WordPress’ fearless founder has to say about it:

Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem.

http://ma.tt/2013/04/passwords-and-brute-force/

Pressgram has been funded!

Pressgram has been funded!

Pressgram has been Kickstarted! John Saddington, WP Daily publisher and all-around entrepreneur, will receive more than $50,000 to put toward his Instagram-inspired brainchild.

Pressgram aims to be a photo-filtering app that will allow users to post their creations directly into WordPress, or share across various social networks.

In addition to the direct-to-WordPress option, the key difference between Pressgram and Instagram is in the content philosophy: Pressgram declares all photos are the sole property of the user.

The successful funding was a bit of a last-minute rally, as earlier this week WordPress co-founder Matt Mullenweg pulled his $10,000 pledge after realizing the project conflicted with his open-source ethos:

But the WordPress community supported the project nonetheless, with some offering their followers even more incentives if they made or upped their pledge.

With 6 hours left in the campaign, Pressgram is $2K over their funding goal.