WordPress Community Vulnerable

There are some Wordpress blogs with patches applied manually without changing version number, but it’s true that most are just left vulnerable.

lpilorz, fair comment, but this in itself is bad as only versions 2.0 and 2.1 are actively maintained.

[...] >>Check out a recent survey of 50 WordPress blogs conducted at blogsecurity.net:>>http://blogsecurity.net/wordpress/articles/article-230507/ Can the Month of WordPress Bugs be far behind?   Larry SeltzereWEEK.com Security Center [...]

[...] to this blog, the Wordpress community is vulnerable! Soon, a MoWB [1] [...]

[...] and Security BlogSecurity is reporting that a recent test showed 98% of Wordpress blogs are running on a version of the software with [...]

I run 2.1.3 currently — which, as I understand it, is the latest release of the 2.1 branch. So, given the statement quoted from WordPress, wouldn’t that mean that the 3 blogs listed as running 2.1.3 are also secure? It looks to me as if it should be 46 that are “potentially vulnerable to known attacks”.

Oops … so I finally got around to reading the 2.2 release comments (which is a bad sign) and noticed that the 2.2 release ended support for 2.1.x — so I retract my previous comment, sorry!

Isn’t this true of most software? If you queried phpBB or vBulletin, for example, many of those are still wide open. And few people have fully patched their windows machines. You provide a valuable service to the WordPress community; have you thought about an automated crawler that emails blog site owners?

[...] “Blog Security” has found that with a sampling of 50 blogs running Wordpress over 49 are vulnerable to known attacks! [...]

I think the biggest problem is upgrading, I have read the instructions on the wordpress site a few times for upgrading and they confuse the heck out of me because they over complex them. My friend explained what i had to do when I installed Wordpress, he explained it in a way i understood, that site needs to make it fool proof, so instead of screwing up upgrading, I leave it alone, unless I can get my friend to help.

They need to make it easier to upgrade the wordpress blog, and I’m sure more people will upgrade, I know I would. I’m currently using 2.1.2, because I find the instructions way over my head, explain it better and I’m sure I would attempt it, I’m a novice user with web hosting.

What would be helpful is a version-by-version list of security vulnerabilities, so that we can determine whether our blogs use vulnerable functionality or not. If, for example, pingbacks are vulnerable, but I’ve disabled pingbacks, then I’d rather not upgrade and risk breaking something.

Version 2.2 was announced 9 days ago, as offering a lot of new features and bug fixes, but as far as I know, no security fixes. If you look at all the closed tickets after 2.2, there’s nothing tagged as security.

Version 2.1.3 was the last release that fixed a security problem. Based on this, it’s arguable that those 3 blogs running 2.1.3 are also secure until the first security fix comes out for 2.2.

When you say you “incrementally harvested the WordPress software version from 50 blogs”, what exactly does that mean? How did you obtain the version numbers from these blogs, and how did you go about selecting which ones you polled?

You do realize that WP 2.2 has only been out for *9* days, right?

There are to many questions to answer them all here. I will release another post shortly to try and answer them. I am excited to see ‘Blog Owners’ as part of the responses and asking questions; this is exactly what BlogSecurity is for.

Thank you all for your feedback.

[...] Using WordPress? To Be Safe, It Should Be 2.0.10 or 2.2…: But it probably isn’t (I have some work to do). [...]

Thanks for taking a look at this, I think this sort of data would be more useful to the community if there was a little more context. For example, where did you get the list of 50 blogs from? There are around 2-3 million WP blogs in the wild, is 50 a significant sample size or is more data needed?

[...] read an interesting article via Slashdot today on recently-launched BlogSecurity.net. The article claims the Wordpress [...]

Matt, I mentioned in my SecurityFocus interview that this approach is certainly not conclusive, but considering the WordPress downloads for v2.2 sat on 86,000 this afternoon in comparison with your figure (2-3 million WP blogs), my bet is on the results of this sample. I agree completely that a larger sample would have been ideal. I did not realise at the time how big this article would become, but I think it does point out the need for some alerting and response mechanism (by default).

When I upgraded to 2.1.2 it was such a disaster that I probably won’t upgrade again until I *have* to. So many things broke in the upgrade that it took me (novice with php & mysql) days to fix, and I never did get my old theme working.

People like me who just blog for our non-local families and friends don’t want to spend a ton of time fixing our sites – that’s why we use WP in the first place. I suppose I don’t really care if it’s vulnerable – there’s nothing mission-critical that I have to worry about losing.

The trouble is the upgrade process.

I have no problem actually doing the upgrade, but you would have thought that Wordpress – a blog designed to be simple to install and use – would have a simple to use upgrade script. There are too many manual steps – I find it hard to be bothered and I have a computer science degree; the average “blogger” probably wont either.

But anyway – I am not too sure on the methodology here. What were the 50 blogs you looked at, and how did you decide on those? I could just as easily find 100 mystery unnamed blogs running 2.2!

I’d really like to see more information to make this article more pertinent and less FUD-sounding. For instance:

* How blogs were selected
* Who hosts the blogs
* How blogs were installed (people installing from auto-install scripts are probably much less likely to update)
* How version information was collected

I appreciate any article that raises awareness of security issues, but I’d like more concrete information on the data itself and the actual security flaws present. As it stands, the article seems to insinuate, by claiming “frightening results”, everyone not using Wordpress 2.2 or 2.0.10 is risking imminent danger, which may not be the case.

I will say, irregardless of the lack of information you’ve presented, as a result of this article, I’ll be reviewing the security updates available in 2.2, something I would not otherwise have done.

David Kierznowski, thanks for replying. 2.2 is currently being downloaded at the rate of 11k per day, but I don’t think that’s a good number to use because you don’t know what percentage of that is installs vs upgrades, and it’s also not taking into account people who use one-click installs and upgrades bundled with their hosts. I think because Fantastico doesn’t offer 2.2 yet that might be hindering the overall adoption, but that should be corrected within a few days.

Chris, I have briefly touched on alot of the areas you are referring to in previous comments; but am surprised at the length of your comment when your own blog is running an older version. I hope to release an aftermath soon just to clarify some points and to put some minds at rest. Thanks.

As always, you do what needs to be done and you certainly did it this time :). Great site and a great find, keep it coming.

[...] BlogSecurity, brings up an interesting point about blogs, and security.  As vulnerabilities are found, patches are issued, but how does one educate the end user about these patches?  I recently found an old old site of mine which I had put up to test a shared hosting provider, defaced. The reason? A vulnerable version of wordpress.  I was able to patch the hole and fix the problem relatively easily, but what about joe blogger? He’s more passionate about politics than the blogging tool he uses, more than likely, he doesn’t even log in to the administrative interface, but uses a third party app to post to the blog. How do we let this person know that he’s vulnerable? Operating Systems have some version of “software update”. Desktop applications have a way of checking for “newer versions”, which can then help you decide if you want to upgrade or not.. but web based software normally doesn’t have anything like this. [...]

Seems like maybe what WordPress needs is the kind of widely know free hosting environment that blogger offers. Why would the typical end user run their own unpatched, down-level version of WordPress if they could get their blog hosted for free at wordpress.com anyway?

[...] read about this on BlogSecurity that the WordPress Community is Vulnerable. Of the 50 blogs they selected 49 of them were vulnerable to known security [...]

[...] version 2.2 has been released 9 days ago and according to here, it’s best to upgrade to prevent people from looking into our file server to discover nude [...]

[...] surveyed 50 WordPress blogs and found that in 49 out of 50 cases, the WordPress blog is not one of the currently maintained [...]

I said the same thing here:

A few words about the RISKS of WordPress 1.2, 1.5, 2.0 or anything less than 2.0.4

Here it is: If you are not running [the current version]: upgrade today! Based on exploits already publish, available and used on the web, all of the work you’ve put into your blog could be lost.

Right now a large number of people have the knowledge to:
1. Erase any/all of your posts or comments.
2. Replace your admin password with one of their own choosing.
3. Replace files on your system including index.php.
4. Run commands against your database.
5. Grab any file with a known file name from your directory – even php files – even those with your database password.

What I would add is that even 2.1.3 sites are vulnerable to having their Admin password comprimised. The only thing to do is upgrade.
Upgrade to WordPress 2.2 or have your Admin PW stolen

The reason people run older versions is because the wordpress upgrade is a nightmare and often breaks blogs. Even those of us who do upgrades on multiple blogs on a regular basis often hit one or two we just can’t make “right”.

This has been a major weakness of wordpress since I’ve been using it.

WordPress Community Vulnerable?…

BlogSecurity, “a site dedicated to providing useful and critical security information for the blog community”, noted the following today……

Aren’t I actually exactly the type of person who should be leaving such comments? The kind of person who should be interested in more facts behind the quick-n-dirty article as posted? I have a blog that, while new, already uses plugins and hacks that may conflict with a huge upgrade like 2.2. I am definitely interested in upgrading, but need more information to weigh upgrading versus time required and possible pain.

Don’t get me wrong – I’m glad you raised the issue, and think it’s important to discuss updating web apps in general, particular those as common as Wordpress and PHPBB. I just can’t help but feel it’s a little over-dramatic to claim frightening results with no information shared on exactly how serious the security flaws are in older versions. For instance, I only glanced at the Trac closed tickets for 2.2, but I only see one security-related entry, and it’s related to filtering admin-only input. I’m sure I missed something, and there’s probably flaws inherent to non-Wordpress-original projects like TinyMCE, but it just doesn’t seem to be as frightening a problem as the article claims.

I definitely look forward to more information, and will certainly be upgrading myself in the near future. Thanks for raising the issue, and for continuing the discussion.

[...] Vulnerable Posted by kdawson on Thursday May 24, @01:10PM from the somehow-not-a-surprise dept. WordPress Community Vulnerable 98% of WordPress Blogs [...]

[...] News. [ Via ] [...]

[...] survey, published by security analyst David Kierznowski on Wednesday, found that only one of the 50 [...]

[...] incep cu una nu foarte buna insa.. asta e ce sa faci… nu ma simt amenintat in nici un fel: – din 50 de bloguri Wordpress, 49 sunt “potential vulnerabile la atacuri cunoscute” . Cam trist ce sa zic…. dar se intrevad zile mai roz odata cu versiuni mai noi… Sa [...]

Chris, I released a vulnerability in <= 2.1.3 and an SQL Injection flaw has also been addressed affecting <= 2.1.3. I have categorised the risks by version and plan to release it at the end of the weekend. Thanks for your passion Chris and your comments, hopefully my aftermath post will answer some of your other questions.

[...] – BlogSecurity, คุณmk Blognone Posted in Technology [...]

[...] BlogSecurity – WordPress Community Vulnerable Filed under actualizações, wordpress and segurança.  |  |  Share This Tags: Actualizações, Segurança, Wordpress. var blogTool = “WordPress”; var blogURL = “http://blog.vdias.com”; var blogTitle = “Bla… Bla… Bla…”; var postURL = “http://blog.vdias.com/seguranca/”; var postTitle = “Segurança…”; var commentAuthorFieldName = “author”; var commentAuthorLoggedIn = false; var commentFormID = “commentform”; var commentTextFieldName = “comment”; var commentButtonName = “submit”; [...]

[...] So there’s a bunch of vulnerabilities in older versions of wordpress. There are other reasons to upgrade besides security. [...]

In terms of ease of upgrade, I’ve found the following plugin to be a great timesaver.

http://www.zirona.com/software/wordpress-instant-upgrade

I’ve still got to nose around my site and fix up the odd broken thing, but it probably saves me about 10 minutes on each WP upgrade…and I’m running three sites at present!

[...] that attacks are underway to compromise the admin passwords of WordPress blogs.  Aaron cites a security survey by BlogSecurity that found vulnerable blogs in 49 out of 50 cases.  98% [...]

I’m curious to know if 2.0.10 installs which are deemed secure by WordPress were included in your 2.0.1 listing as I see no mentions of 2.0.10.

[...] 0. http://blogsecurity.net/ 1. http://blogsecurity.net/wordpress/articles/article-230507/ 2. [...]

The “I’m Alive” Entry…

Things have been quiet around here in terms of entries so to keep things rolling here are a few interesting links I’ve discovered over the past few days . . .

Florian posted a comment over on the msn contact grab entry highlighting a warning error…

[...] alerta: pouco antes do efeméride, o pesquisador David Kierznowski alertou (pelo Slashdot) que 49 entre 50 sistemas do Wordpress instalados em servidores alheios (o Chá, por exemplo, está no servidor do Wordpress) estão [...]

[...] WordPress version survey was largely successful; it was released on both Slashdot and SecurityFocus which I am quite pleased [...]

[...] By Bob | May 28, 2007 After waiting a few weeks to see what possible trouble would emerge on blogs that upgraded to version 2.2, I was finally convinced to do the upgrade for bobmeetsworld.com. So far so good but if anyone finds a bug, please let me know so I can try and fix it. (fyi: My posts aren’t considered as bugs) It’s highly recommendable to upgrade if you are running any other version than WordPress 2.0.10 and WordPress 2.2 according to blogsecurity.com [...]

I’m glad the WP developers are still committed to providing security updates to the 2.0.X series, because just trying to upgrade to 2.1 caused my blog to crap all over itself. I have too many hard coded changes that upgrading isn’t an option right now. Thankfully the plugins I have already emulate most, if not all of WP 2.2’s features. But the Wordpress community needs to stop making this blogging platform so developer oriented. There are many of us that would have been happy enough to see it run smoothly on plain old PHP4, and we BARELY have a chance to enjoy the fruits of our labor with the developers all in a hurry to get from version 2.1 to a version in the double digits. God Almighty, slow the hell down and give us all a chance to breathe for crying out loud.

I think I was a little overly skeptical before – I see you’ve posted a vulnerability list for Wordpress and popular plugins with the intention of keeping it up to date. I appreciate the list, which prompted me to update Wordpress myself which, other than one mod_security-related bug, went without a hitch.
Thanks again for getting the word out, and I look forward to reading more about your survey data.

Chris, no problem champ, thanks for your continued support.

[...] times. Now that I’ve learned that anything but the most recent releases of WordPress are hideously insecure; I’ll probably perform an upgrade sometime later on [...]

[...] a somewhat related article, SecurityFocus also published a story based on a study by David Kierznowski. In the study, He found that only one in fifty WordPress blogs had been upgraded to the newest [...]

[...] you’re running WordPress 2.2 or 2.0.10, your blog is vulnerable! Aaron recently reacted to an unscientific survey with his own unscientific survey, finding that most blogs are behind on updating their [...]

[...] those wondering, here’s the survey linked in the [...]

[...] I just read over at BlogSecurity.com it seems that many users which host their blog independently from wordpress.com. Doesn’t [...]

[...] was a survey conducted that said that 49/50 Wordpress blogs are running old and vulnerable versions of the [...]

[...] can not say it but read what David Kierznowski says about it. His article is few weeks old and he couldn’t now that WordPress 2.2 is not secure. [...]

[...] site dedicated to providing useful and critical security information for the blog community”, noted the following today: BlogSecurity incrementally harvested the WordPress software version from 50 blogs; the results [...]

[...] little while ago, we released the WP Vulnerability Survey. There were some ‘doubtful Tomas’ individuals, so we followed up on this article with [...]

[...] Baru baca Feedreader trus menemukan kenyataan bahwa Wordpress memiliki banyak kelemahan! BlogSecurity » WordPress Community Vulnerable. Ini sangat mengerikan mengingat wordpress adalah web application paling populer saat ini. Sehingga [...]

nice share mate,

wow a dony know that wordpress have so many security problem.

A additional security issue may be all of the “readme” and “info” and other files left behind – not just for WordPress and all the plugins and templates, but other apps as well. I recently found in my server logs two strange bots from Chinese IPs that were active looking for readme txt files. If a particular plugin or app version has a vulnerability, it certainly may be more effective to scan the txt files that could indicate versions.

Just to be on the safe side I remove all of the txt files, mods descriptions, etc from any web-accessible directory for my wordpress installs.

[...] ^ Blog Security | Survey Finds Most WordPress Blogs Vulnerable [...]