If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(BBC)   Army of zombified computers no one's paying attention to attacks same   (bbc.co.uk) divider line 10
    More: Repeat, WordPress, home computers, botnets, network connections, DDoS, Host Gator  
•       •       •

10915 clicks; posted to Main » on 15 Apr 2013 at 12:28 PM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



Voting Results (Smartest)
View Voting Results: Smartest and Funniest


Archived thread
2013-04-15 01:15:53 PM  
2 votes:
"Here's what I would recommend: If you still use 'admin' as a username on your blog, change it, use a strong password," wrote Wordpress founder Matt Mullenweg on his blog.

And here's what I recommend... if you're using WordPress to run a website, you're using the wrong tool for the job.  Use real CMS software, not blog software.

WP is used by people who started a blog, and then added a few pages to it.  Despite adding bells and whistles, the WP engine remains optimized for blogging, not for running a website.  If you use WP to run a website out of the gate, you're an idiot.  If you grew out of your blog and now have a website, then move out of your grandma's basement.
2013-04-15 12:37:02 PM  
2 votes:
www.tubecityonline.com
2013-04-15 03:53:43 PM  
1 votes:

JWideman: It isn't like a shell account. Compromising the admin account doesn't let you do any of those things. You can't even install plugins (which could be written to do the above of course) unless you're self-hosted AND have it set up so that plugins can be installed from the admin panel - which has to be done from the shell.


That used to be the case, but you've been able to install plugins from the admin interface for at least the last year or so. You can also upload a wide variety of media types that can then be made publicly accessible. I'm not sure if it disallows uploading certain file types, but if so I'm sure it could be overridden.

From what I've heard, they're mostly attacking self-hosted sites. It wouldn't surprise me if many people use a similar password for the admin account as they do for the hosting account (which would likely get them shell access, or at least the ability to upload arbitrary files).

What I think the real goal is, and I'm surprised the article never mentioned it, is to use the hacked blogs for blackhat SEO, linking to the sites the hackers want to have the google juice.

Yeah, that's most likely. Still, there's no saying what they'd be able to do.
2013-04-15 03:51:46 PM  
1 votes:

Fark Me with a Chainsaw: Somaticasual: Wodan11: "Here's what I would recommend: If you still use 'admin' as a username on your blog, change it, use a strong password," wrote Wordpress founder Matt Mullenweg on his blog.

And here's what I recommend... if you're using WordPress to run a website, you're using the wrong tool for the job.  Use real CMS software, not blog software.

WP is used by people who started a blog, and then added a few pages to it.  Despite adding bells and whistles, the WP engine remains optimized for blogging, not for running a website.  If you use WP to run a website out of the gate, you're an idiot.  If you grew out of your blog and now have a website, then move out of your grandma's basement.

As a web developer, I think you're hanging onto an outdated view of WordPress. Yes, it started out a blog-only, and was disregarded for years because of it (by myself as well). But, it has blossomed into a blog-oriented CMS that's:

a) less clunky and faster than joomla
b) less unnecessarily complicated than drupal
c) less run by microsoft / faster than DotNetNuke
d) less out of it's league than PHP-nuke's shadow-of-its-former-self, or any of the other small PHP CMS frameworks (IE Tiny, concrete, etc)

That's why it's being used to power millions of sites across the web. The only real downsides to it these days are the same security vulnerabilities and risk of being overused that come with its popularity..

I came here to say this, the original poster who dumped on WP hasn't used it lately, or to the degree that it's capable of handling.


thirded.

I prefer Joomla for my purposes but Wordpress, Drupal, and Joomla are all great platforms.  Do a search for "major sites that use xxx", where "xxx" is the name of the CMS, and you'll be surprised who is using what.
2013-04-15 03:23:47 PM  
1 votes:

heypete: To be fair, WordPress *is* popular and often runs on well-connected servers without significant outgoing port limitations. Abusing such systems to send out spam, attack other systems, etc. is somewhat troublesome.


It isn't like a shell account. Compromising the admin account doesn't let you do any of those things. You can't even install plugins (which could be written to do the above of course) unless you're self-hosted AND have it set up so that plugins can be installed from the admin panel - which has to be done from the shell. While the combination of not renaming the admin user while enabling admin panel plugin install does happen, it's not like every admin account hacked is going to give the attackers something they can do the above with.
What I think the real goal is, and I'm surprised the article never mentioned it, is to use the hacked blogs for blackhat SEO, linking to the sites the hackers want to have the google juice.
2013-04-15 03:00:43 PM  
1 votes:

Somaticasual: Wodan11: "Here's what I would recommend: If you still use 'admin' as a username on your blog, change it, use a strong password," wrote Wordpress founder Matt Mullenweg on his blog.

And here's what I recommend... if you're using WordPress to run a website, you're using the wrong tool for the job.  Use real CMS software, not blog software.

WP is used by people who started a blog, and then added a few pages to it.  Despite adding bells and whistles, the WP engine remains optimized for blogging, not for running a website.  If you use WP to run a website out of the gate, you're an idiot.  If you grew out of your blog and now have a website, then move out of your grandma's basement.

As a web developer, I think you're hanging onto an outdated view of WordPress. Yes, it started out a blog-only, and was disregarded for years because of it (by myself as well). But, it has blossomed into a blog-oriented CMS that's:

a) less clunky and faster than joomla
b) less unnecessarily complicated than drupal
c) less run by microsoft / faster than DotNetNuke
d) less out of it's league than PHP-nuke's shadow-of-its-former-self, or any of the other small PHP CMS frameworks (IE Tiny, concrete, etc)

That's why it's being used to power millions of sites across the web. The only real downsides to it these days are the same security vulnerabilities and risk of being overused that come with its popularity..


I came here to say this, the original poster who dumped on WP hasn't used it lately, or to the degree that it's capable of handling.
2013-04-15 02:57:48 PM  
1 votes:

Wodan11: "Here's what I would recommend: If you still use 'admin' as a username on your blog, change it, use a strong password," wrote Wordpress founder Matt Mullenweg on his blog.

And here's what I recommend... if you're using WordPress to run a website, you're using the wrong tool for the job.  Use real CMS software, not blog software.

WP is used by people who started a blog, and then added a few pages to it.  Despite adding bells and whistles, the WP engine remains optimized for blogging, not for running a website.  If you use WP to run a website out of the gate, you're an idiot.  If you grew out of your blog and now have a website, then move out of your grandma's basement.


As a web developer, I think you're hanging onto an outdated view of WordPress. Yes, it started out a blog-only, and was disregarded for years because of it (by myself as well). But, it has blossomed into a blog-oriented CMS that's:

a) less clunky and faster than joomla
b) less unnecessarily complicated than drupal
c) less run by microsoft / faster than DotNetNuke
d) less out of it's league than PHP-nuke's shadow-of-its-former-self, or any of the other small PHP CMS frameworks (IE Tiny, concrete, etc)

That's why it's being used to power millions of sites across the web. The only real downsides to it these days are the same security vulnerabilities and risk of being overused that come with its popularity..
2013-04-15 02:38:49 PM  
1 votes:
That reminds me, maybe I should take a cue from Heisenberg's kid and start my own donation site. How does www.gettheonetruethedavidlotsofhookersandblowsohewillshutupandgoaway.c om sound?
2013-04-15 12:58:21 PM  
1 votes:

My Yali or Yours: Just another backdoor security breach.


I've seen that movie.
2013-04-15 12:45:17 PM  
1 votes:
Hah! I cleaned up two Drupal sites over the holidays that were assumed to be WP sites. There were php trojans all over the place. Removed the offending files, tightened filesystems perms, and reinstalled the cores and modules. All good. The $$$ are awesome for emergency holiday work.
 
Displayed 10 of 10 comments

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »






Report