Cache Out

Cache Out

Everybody likes cache. Specifically, caching plugins like WP Super Cache and W3TC which help WordPress sites load faster by serving up static HTML versions of pages instead of dynamically loading them each time. And we know everybody loves them because they have been downloaded almost 6 million times. That’s a lot of cache.

BUT. Turns out? There’s a bit of a problem. According to Tony Perez, half of WordPress security Top Dawgs Sucuri:

two of the biggest caching plugins in WordPress have what we would classify a very serious vulnerability – remote code execution (RCE), a.k.a., arbitrary code execution

Tony goes on to demonstrate how on sites running either plugin, a line (any line) of php code in the comments section would actually execute. As in, run. As in, that’s totally not supposed to happen.

The plugin authors responded fairly quickly to the news and released plugins with a fix.

So! If you happen to have either of those plugins installed, get the lead out. Update. Now.

When you’re done you can go back to wondering how these two mega-plugins BOTH missed such a considerably large hole in their code.

A Good Take on the Bots

A Good Take on the Bots

This article on ZDNet makes some great points … namely that WordPress’ very ease-of-use is why it’s a security threat:

WordPress’ big selling point is ease of use. That means it has massive appeal right at the bottom end of the market.

Down at this level, even in 2013, websites are usually little more than static brochureware that gets updated rarely, if at all. With nothing to change, the sites’ owners don’t log into WordPress, so they don’t see the software upgrade notices. Or if they do, they don’t know what they mean.

This is where businesses are reluctant to spend even a thousand dollars on a site, so asking them to fork over more money for “maintenance” is a waste of time — what visible difference does it make?

Besides, they’ll say, they have someone who “takes care of” their website.

That someone is generally a “web designer”, not a developer. WordPress has been a boon for them. Its multitudinous free or cheap themes and plugins make it possible to build a decent website with plenty of functionality without having to dirty their hands with actual code. Or dirty their minds understanding it.

Forgive me, for I’m about to commit the sin of extrapolating from personal experience, but in nearly two decades, I have yet to encounter a “web designer” with halfway-decent security practices — by which I mean creating a different login for every human rather than a generic “admin” account, creating strong passwords, not reusing passwords, deleting unused accounts, and not blithely emailing a business’ master internet hosting password to any sub-contractor who might need momentary access.

Indeed, many of those I’ve encountered have deliberately set the WordPress admin password (or its equivalent in pre-WordPress days) to be exactly the same as their client’s hosting account master password, their domain registry password, the login on their PC, and everything else in sight to “make it easier” — because that gets rid of those annoying “I’ve lost my password” support calls.

WordPress is now the tool of choice for these people, and they’ve built millions of WordPress websites.





The WordPress SuperBot/BotNet Attack has been getting a LOT of attention in the press, both tech media and regular ole’ normal-people media. The headlines range anywhere from the benign:

WordPress Hackers Exploit Username ‘Admin’

to the apocalyptic:

SWARMS of ZOMBIES unleashed on innocent bloggers

All hysterics aside, this story has been getting some serious traction. When Matt spoke out about it, it generated a whole new swarm of stories. it would be tedious to compile all the articles chronicling the hack, but below is a ongoing collection of the best:

Image: ZombieBots by MaskedRabbitCrafts


Matt weighs in on the SuperBot

All this talk about a SuperBot!

Here’s what WordPress’ fearless founder has to say about it:

Here’s what I would recommend: If you still use “admin” as a username on your blog, change it, use a strong password, if you’re on turn on two-factor authentication, and of course make sure you’re up-to-date on the latest version of WordPress. Do this and you’ll be ahead of 99% of sites out there and probably never have a problem.