MediaTemple, WordPress, and attack vectors

WordPress has been mentioned a lot lately. Is this application specifically vulnerable?

No. WordPress is a high-quality project that updates their software whenever a security problem is found. The latest versions do not contain any vulnerabilities that we are aware of. If you are running an old version, please update yourself. This is a common practice and should be familiar to any Windows or Mac OS X desktop user.

This being said, due to the ubiquity as one of the world’s most popular open-source publishing systems, WordPress is often the target of the payload with code injections and backdoor entry points after the attackers have maliciously gained access to a user’s website. The fact that WordPress is frequently a payload target DOES NOT mean that WordPress itself is vulnerable. It just means it’s popular and very powerful. You should continue to use it and we think it’s great software.

I couldn’t have said it better myself. Thanks MediaTemple.

Published by

Andrew Nacin

Lead developer of WordPress, living in Washington, D.C. Follow me on Twitter.

5 thoughts on “MediaTemple, WordPress, and attack vectors”

  1. Hello Andrew,
    I’m a futre, from italy, programmer and (suppose) wordpress expert.
    MT responses are not correct, I have 2 wordpress 3.0 on MT and both were hacked.

    They say:

    * Exploiting vulnerable, usually outdated, versions of web software.
    but it’s not outdated, is the last
    * Exploiting vulnerabilities in the hosting infrastructure itself.
    and they say that MT is sure
    * Harvesting credentials from web applications that are not properly secured.
    uh? from where? what does it mean?

    wordpress the last is sure or not? MT (and others hostings) are sure or not?
    It seems the nobody really know what’s the problem, and if you don’t know how a software has been hacked how can you say it’s sure?

    Just my 2 cents, but really would like to know whats happening,

    best regards, futre.

    1. I can’t speak for MT at all. But I can tell you that there are no known vulnerabilities in WordPress 3.0, and that there has been no indication that any attack in the last six months on any hosting provider was the result of a vulnerability in 2.9.x or 3.0.

      It appears the majority of attack vectors were hosting infrastructure. I hope MT will diagnose, fix, and disclose any vulnerabilities in their infrastructure if that is indeed the case.

      I can’t validate the rest of MT’s statement. But I can vouch for what they said about WordPress, and I liked it enough to re-blog it.

  2. Thanks Andrew,
    as results nobody knows (or tells) which was the cause of the attack, also is strange that only the major hostings in USA were attacked, in italy it sounds nothing has happened.
    By the way, have a nice weekend.


    1. Sigh — one thing I certainly cannot do is speak for the intelligence of my fellow countrymen. 🙂 I would actually argue that it comes down to the sheer size and popularity of many U.S. hosts. The market is quite centralized on this side of the Atlantic.

      It’s not that no one knows, it’s that no one tells. Hopefully, hosts are discovering attack vectors in their infrastructure and working diligently to reduce them, and maybe later this year when this is all behind them, they’ll begin to talk. Not holding my breath, of course.

Comments are closed.