Some thoughts on WordPress security and the recent shared hosting attacks

After being a guest on the ExplicitWeb podcast, recorded this afternoon, I noticed that I had been asked on Twitter to talk about what my thoughts were on the current hacks on WordPress and other PHP sites. We didn’t dive into security, instead talking about WordPress 3.0, the development process, and how to contribute, but I wanted to address this very valid question, and in more than 140 characters.

As of this writing, there are no known exploits of WordPress 2.9.2. The viruses going around on various shared hosts appear to be indiscriminately targeting any and all PHP files, and there is no indication that the payload is being delivered through WordPress. Indeed, there are some accounts that are not running WordPress but their PHP files are still being infected.

WordPress is incredibly secure, and we also take security very seriously. E-mail security@wordpress.org if you believe you have discovered a vulnerability. All indications are that these are server and hosting configuration issues. Network Solutions admitted the hacks infecting their users were their fault, while GoDaddy is demonstrating arrogant cluelessness.

WordPress is incredibly popular and used by millions, and thus is an obvious and very public target. But I wish to emphasize that there is a huge difference between a hack exploiting WordPress, and a hack targeting WordPress. Many bloggers are grouping both types of attacks as “WordPress hacks,” even though none are exploiting WordPress directly, and that other PHP applications are being infected — WordPress just happens to be the most widely used.

The difference is significant. A hacker can infiltrate a server and target WordPress files or the database without exploiting WordPress itself. This is quite common because WordPress is so commonly used. A hacker exploiting WordPress means that they are using a bug or vulnerability in WordPress as the attack vector. This is quite rare, especially in more recent versions of WordPress. When a vulnerability is discovered, it is fixed quickly and an update is released. Keep up to date and always ensure you are using the latest and greatest version of WordPress, currently 2.9.2.

Published by

Andrew Nacin

Lead developer of WordPress, living in Washington, D.C. Follow me on Twitter.

7 thoughts on “Some thoughts on WordPress security and the recent shared hosting attacks”

  1. > WordPress is incredibly secure, and we also take security very seriously.

    You wish 😀 WP has had countless issues with security over the years and will continue to do so, how can you state security is taken seriously? As a PHP developer I have looked at WP and what a -beep- mess it is.

    > WordPress is incredibly popular and used by millions, and thus is an obvious and
    > very public target.

    Only because it is free, which is not a bad thing – I’m all for open source myself – but should be managed and maintained professionally, can you honestly say that without a smirk?

    Yes… I expect my comment will promptly be removed by the way, sorry for denting your ego 😉

  2. [big WP fan here and recently victim to one of these attacks on two blogs]

    As I learned working for Microsoft, the fact that the security problem originates somewhere else often doesn’t matter. WordPress is the big thing people can point their fingers at. So those other security issues that happen to impact WP blogs become WP’s problem. IMO Automattic/WP need to do more to understand and explain these attacks asap.

    Sadly, the truth often doesn’t matter. Perceptions are the reality.

  3. I’d like to know more about *why* WP is badly written from a coder’s point of view. Not just a slur but some genuine analysis.

    Yes, I agree that the management or direction of WP is a frustratingly patchy and what is a good product could be really great but the owner either does not seem to care or has ADHD.

    I mean, what the hell is going on with BBpress and Buddypress?

Comments are closed.