# Fiberhub Website has been infected....



## Munzy (Jan 24, 2016)

Seems the fiberhub website has been infected.


https://sitecheck.sucuri.net/results/fiberhub.com


The code being executed.: http://pastebin.com/raw/se8cx1Pi 


Backup copy: https://git.enjen.net/snippets/3/raw


How it is being executed:





Code: https://git.enjen.net/snippets/4/raw





What it is doing is redirecting to a "video streaming site", and probably more but I am not sure of what yet.


----------



## Munzy (Jan 24, 2016)

I have also taken the liberty of contacting Pastebin and requesting they take down the code as well as putting a ticket in with fiberhub themselves.


----------



## HalfEatenPie (Jan 24, 2016)

*wow thanks for stealing my thunder!  I told you on skype! /s*


Haha just kidding.  But yep.  Contacted Fiberhub team, their response was:



> Hello,
> 
> 
> Thanks for letting us know. Our admin team are already working on the issue.
> ...



They're already on the case!


----------



## DomainBop (Jan 24, 2016)

details: http://kb.sucuri.net/malware/signatures/js.redirect


FYI, UltraVPS.com and VPEasy.com are clean


----------



## Licensecart (Jan 24, 2016)

Nice find, but am I surprised? No. Why? they are using Wordpress


----------



## Munzy (Jan 24, 2016)

Licensecart said:


> Nice find, but am I surprised? No. Why? they are using Wordpress



The fact of the matter is wordpress is not the problem. Poorly written themes / plugins are the problem.  Unlike for example solusvm.....


----------



## Licensecart (Jan 24, 2016)

Munzy said:


> The fact of the matter is wordpress is not the problem. Poorly written themes / plugins are the problem.  Unlike for example solusvm.....



true but they are getting updates for the core and their lack of security as they patch up so much. But it's free . SolusVM had a full audit back in 2013 I believe.


----------



## Hxxx (Jan 24, 2016)

Title should be updated to only reflect the website in question and not fiberhub as a whole.


Also if you reported this to FIberhub I fail to see the purpose of this thread, some bad PR maybe?


----------



## Licensecart (Jan 24, 2016)

Hxxx said:


> Title should be updated to only reflect the website in question and not fiberhub as a whole.
> 
> 
> Also if you reported this to FIberhub I fail to see the purpose of this thread, some bad PR maybe?



Alerting any customers who may (or have) visit their website and get sent elsewhere


----------



## HalfEatenPie (Jan 24, 2016)

Licensecart said:


> true but they are getting updates for the core and their lack of security as they patch up so much. But it's free . SolusVM had a full audit back in 2013 I believe.



Haha personally I'm fine with Wordpress.  The biggest issue with wordpress is the poopily coded themes or plugins with the vulnerabilities.  It's one of those systems where people focus more on the "final result" rather than the journey to get there (e.g. they care about the end theme more rather than what resources and how they code the final theme).  Therefore, it frequently has vulnerabilities from the themes or the plugins.


Remember that Wordpress has millions if not more people using their software, whereas SolusVM is probably a few thousands, if even.  Wordpress code is also used in enterprise deployments, and more than likely has been looked over and are constantly being reported on to fix.  I doubt SolusVM can afford that level of scrutiny   Remember one go-through/audit of the code can still miss some crucial bugs.  


As long as you use common sense, proper security measures (maybe even fiddling with permission more), and constantly updating/patching, you should be fine.  The only reason Wordpress is such a major target is because of it's large deployment.  Kind of like casting out the biggest net you have and seeing which hits.  It's to be expected.  


But that was me simply complaining about wordpress.  Yarr.  



Hxxx said:


> Title should be updated to only reflect the website in question and not fiberhub as a whole.
> 
> 
> Also if you reported this to FIberhub I fail to see the purpose of this thread, some bad PR maybe?



Title changed to add "website" to make sure we're stating it's just the website.  Thanks!


----------



## graeme (Jan 24, 2016)

HalfEatenPie said:


> Haha personally I'm fine with Wordpress.  The biggest issue with wordpress is the poopily coded themes or plugins with the vulnerabilities.



The main reason people use Wordpress is because it has all those themes and plugins. If you limit yourself to just the Wordpress and a handful of plugins and themes you  know are well coded then you cannot use it for a lot of the sites it is used for.
 



HalfEatenPie said:


> The only reason Wordpress is such a major target is because of it's large deployment.  Kind of like casting out the biggest net you have and seeing which hits.  It's to be expected.



The Windows excuse. The number of attacks and vulnerabilities found seems disproportionate to even taking wide use into account. In any case, why use something you know will be a target?


----------



## Licensecart (Jan 25, 2016)

graeme said:


> The main reason people use Wordpress is because it has all those themes and plugins. If you limit yourself to just the Wordpress and a handful of plugins and themes you  know are well coded then you cannot use it for a lot of the sites it is used for.
> 
> 
> 
> The Windows excuse. The number of attacks and vulnerabilities found seems disproportionate to even taking wide use into account. In any case, why use something you know will be a target?



Good post, but that's the same "everyone uses what's popular" they don't care about "security" WHMCS had 2 of the biggest exploits in history in 2013, because of their lack of coding experience. But they are still popular and I can't visit one webhost without seeing that. I don't use any security passwords on any company I use which uses WHMCS simply incase they get attacked I don't have to worry about the important bits in my business. The other bad thing which is popular is vBulletin forums which seems to be poorly coded not sure about security attacks lately but their vb5 is so crap people have finally seen the light and moved to IPB or Xenforo. Suppose it's life popular things are higher than security .


----------



## HalfEatenPie (Jan 25, 2016)

graeme said:


> The main reason people use Wordpress is because it has all those themes and plugins. If you limit yourself to just the Wordpress and a handful of plugins and themes you  know are well coded then you cannot use it for a lot of the sites it is used for.
> 
> 
> 
> The Windows excuse. The number of attacks and vulnerabilities found seems disproportionate to even taking wide use into account. In any case, why use something you know will be a target?



Point 1: This depends on the intended use and purpose of the Wordpress software.  You might be shocked to hear that Wordpress was originally built to be a Blogging platform.  It simply has pretty good CMS features as well included (as well as the admin panel being really straight forward).  Additional plugins and themes simply modify these experiences to whichever specific need you have.  However, there are different software available for different purposes.  I don't think you understand that InfoSec is very very behind actual development right now, so there's no 100% guaranteed no vulnerability software available.  However, you can minimize this by taking proper actions, such as updating all software regularly and setting up proper permissions.  This would include using a piece of software for it's intended purpose, not as a bloated CMS + Podcast + RSS Feed Aggregate + Theme with 200 sliders and a dynamic widget importing facebook likes.  


There's nothing wrong with Wordpress being so popular because of their numerous themes and plugins, however with popularity (and having such a large ecosystem) comes with more developers and designers wanting to cash in/develop within that ecosystem.  This means high possibility of poorly coded themes/plugins.  Simply all I'm saying is use the software for what its intended for.  If you have other needs, look into an alternative or maybe look in-depth at what you're installing.  If you're still willing to take the risk then go for it.  However, all i was stating before was that Wordpress the software itself is fine and isn't like Swiss cheese.  It's the plugins and the themes that are usually vulnerable. 


Point 2: I don't see why you'd call it a Windows excuse.  It's not an excuse for anything.  It's not trying to prove anything.  Simply state that because it has such a large deployment, those who want to exploit it have the advantage of "reusing" their code to try and hit multiple deployments at once.  It's simply common sense.  Fish in a bigger pool with more fish.  


The bottom line is this.  In a theoretical perfect world, everything would be properly maintained, software would be coded with the highest standards to minimize potential security vulnerabilities and maximize efficiency.  However, in the real world this isn't very true.  There is no single "most optimized" method in anything.  Even in science and engineering, no single model is correct and each have different strength and weaknesses.  The way the Linux is working right now, it's not very simple and straight forward.  It's not very user friendly.  I mean it's gotten much much better, but it's not the most user friendly operating system that someone who isn't a power user would have an easy time working on.  Windows and Mac are considered easier to use and work on, especially since more people are familiar with them as well as having more resources available.  


There's no commonly accepted standard.  There has been initiatives to adopt a common standard, however if one person doesn't adopt then that's that.  The ability to communicate between a Windows environment and a Linux environment isn't that easy and very frequently requires a complex setup to do it properly.  For example, Microsoft Word uses docx standardized filetype for their word documents whereas OpenOffice/LibreOffice use odt.  odt is an open standard as well as docx being another open standard.  However, both software operate within a different ecosystem and (in the end) "convert" each file format to be readable in their native system.  If all the systems worked within the same standard, then it would be fine.  However, the effects of this means different end user experience (another example could be the different web browsers using different rendering engines).  


Geeze I use the word however a ton.  In the end, the reason I use Windows is simply because my workplace uses and using files information between each operating system doesn't 100% work properly.  Windows by itself is a very stable and a good operating system.  Similar to Linux, the largest vulnerability is usually the end user being a total idiot and not knowing what they're doing.  Just like what I said about Wordpress, you can't blame the software for being "bad" and "vulnerable" if it's usually the decision making of the end user that opens it up to such vulnerabilities.  


*tldr:* Wordpress is coded fine.  It's usually the end user (decision maker) that install vulnerable themes and plugins that sucks.  Just like how Windows is coded fine.  It's usually the end user (the decision maker) that install vulnerable software and go to questionable websites that sucks.  Don't blame the software for a person's stupidity.


----------



## drmike (Jan 25, 2016)

Zero way for end user / customer of WordPress to determine what is malware, what is coded poorly, etc.   In fact WordPress is targeted at know-nothings who don't want a CompSci degree to launch their website, put our brochure for new product, etc.


"WordPress.com is the easiest way to create a free website or blog."


Easy + free, what could go wrong?  I mean it's about as problematic as easy + cheap as an industry segment we all know.


WordPress needs to A. Die or B. get to auditing official on-site submitted apps / plugins to weed / police potential issues... cause a WP security issue is just that.  No one goes WP is exempt, it was some stupid plugin author.   Lord knows, there have been many intentional malwares pushed official plugin channel for WP that went undetected for years.


----------



## Munzy (Jan 25, 2016)

Hxxx said:


> Title should be updated to only reflect the website in question and not fiberhub as a whole.
> 
> 
> Also if you reported this to FIberhub I fail to see the purpose of this thread, some bad PR maybe?





Just wanted to post that there as a hack of their website. no bad pr intended. i took a look at the code lightly and didn't notice anything worse then a redirector. however it was injected into the code and could possibly have taken data. as such just a security post. do with it as you wish .


----------



## DomainBop (Jan 25, 2016)

> tldr: Wordpress is coded fine.  It's usually the end user (decision maker) that install vulnerable themes and plugins that sucks.  Just like how Windows is coded fine.



I'll disagree with both statements.  Security hasn't been a top priority for either WP or Windows developers.  WordPress and Windows both have a very long history of endless critical vulnerabilities (and in the case of Windows many times it is months, and in a few cases over a year before those gaping security holes are fixed.)  Over the years (based on CVEdetails stats), the various versions of Windows Server have had 1321 total vulnerabilities, and the Windows desktop versions track records are even worse (3277 total).  Windows Desktop (3277) + Server (1321) combined 4598 total vulnerabilities. Now compare those totals to FreeBSD (314 total) and Solaris (590), or even the Linux Kernel (1338)


WordPress: 205 vulnerabilities in WP code itself over the past 10 years (i.e. not in themes or plugins), many of those critical .  11 in 2015, 29 in 2014... For anyone who is counting, the last WP patch to fix holes in the WP code was only 19 days ago (_"__WordPress versions 4.4 and earlier are affected by a cross-site scripting vulnerability that could allow a site to be compromised"_).  WP is also written in PHP [snide PHP comments censored]...



> "WordPress.com is the easiest way to create a free website or blog."



That I would agree with. Installing the frameworks/software stacks needed to run competing blog platforms like Ghost (node.js) or Publify (Ruby on Rails) requires a little more technical knowledge.  Things like Docker and cloud services like Bitnami may or may not eventually make deploying Ghost or Publify just as easy for the average person as installing WordPress



> It simply has pretty good CMS features...



If someone is looking for an industrial strength CMS for their business, they should take a look at Plone (written in Python) which has some pretty good CMS features too and has a much better security track record than WP/Joomla/Drupal (Plone has had 55 total vulnerabilities compared to WP's 205) .   Django CMS (more Python) is another good option...


----------



## HalfEatenPie (Jan 25, 2016)

Mhm fair enough.  Most of the time though, my opinion is that Wordpress would handle the job.  


However I was reading Akamai's state of the internet report (Q3 though) and their security writeup does mention Wordpress Vulnerability scanning/brute forcing/etc. has increased in Q3 2015 more than previously.


----------



## GM2015 (Jan 25, 2016)

The problem with wordpress developers is that they keep adding more useless bloating features as they are fixing their previous security flaws.


Like emojiis. I mean really?


Are you developing the platform for 15 year olds?


----------



## wlanboy (Jan 25, 2016)

Looking at the TOP-50 providers of CVE issues:





You have the Who-Is-Who of software developers.
I don't think that using popular software is less secure than using that-new-shiny Phyton thing.


All that discussion reminds me of the "security by obscurity" dogma. The Hackaz don't know my software so it is secure.


----------



## HalfEatenPie (Jan 25, 2016)

wlanboy said:


> Looking at the TOP-50 providers of CVE issues:
> 
> 
> 
> ...



That's really how I feel personally.


----------



## graeme (Jan 26, 2016)

@HalfEatenPie I have been using Wordpress for 10 years - as a blogging platform. I used to like it and wrote themes and plugins for it (even some other people use). I am now happy to use it for blogging but I no longer customise it or develop on it. I also harden it.


My point is that the main reason it is so widely used is that people want to use all those plugins. If people only used Wordpress for its "intended purpose" then far fewer people would use Wordpress.


The other problem is that Wordpress makes it easier to write insecure code. I prefer to use frameworks that do a lot of the work for you. I thin you will find that Drupal will be more secure in the future now that it is Symfony based.

For development I usually use Django which uses an ORM so SQL queries are always escaped (unless you avoid using the ORM), adds CSRF protection to forms by default. etc. It is also a lot more productive and Python is a much nicer language then PHP.


----------



## graeme (Jan 26, 2016)

This is a bit off topic, but I cannot let this go with out replying



HalfEatenPie said:


> Windows and Mac are considered easier to use and work on, especially since more people are familiar with them as well as having more resources available.



Considered incorrectly. For one thing, Linux is a lot easier to keep secure. It also had a lot of user friendly features that Windows and MacOS later copied (such as "App stores") and most Linxux package managers are still far superior. My wife and kids have no problems using Linux (and they complain about Windows when they have to use it).
 



HalfEatenPie said:


> The ability to communicate between a Windows environment and a Linux environment isn't that easy and very frequently requires a complex setup to do it properly.  For example, Microsoft Word uses docx standardized filetype for their word documents whereas OpenOffice/LibreOffice use odt.  odt is an open standard as well as docx being another open standard.



MS Office now supports ODF https://en.wikipedia.org/wiki/OpenDocument#Software

I have been using Linux for about 14 years and had problems with MS office documents only two or three times.


----------



## HalfEatenPie (Jan 26, 2016)

graeme said:


> This is a bit off topic, but I cannot let this go with out replying
> 
> 
> Considered incorrectly. For one thing, Linux is a lot easier to keep secure. It also had a lot of user friendly features that Windows and MacOS later copied (such as "App stores") and most Linxux package managers are still far superior. My wife and kids have no problems using Linux (and they complain about Windows when they have to use it).



https://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0 .  That's relative to each person, however the rest of the world utilize Windows.  Good for your family for adopting windows and enjoying the package manager, however the general stigma behind Linux for the longest time was that it was difficult to work with and only "nerds" use them (doesn't help Arch Linux fanatics sometimes have their way of calling out shit).  Call it what you want, however many people are introduced to Windows first and therefore for them, quite often, more convenient for them.  



graeme said:


> MS Office now supports ODF https://en.wikipedia.org/wiki/OpenDocument#Software
> 
> I have been using Linux for about 14 years and had problems with MS office documents only two or three times.



If you read my post properly, you would realize I did state the MS Office supports ODF.  LibreOffice supports docx and MS Office supports ODF.  What I'm stating is that that's not their native format that they regularly use and save under.  Therefore there's a potential for data loss (frequently expressed in the form of wonky formatting) between the two.  I never said they're 100% incompatible, I'm simply stating that there is no standard where both documents (I'm speaking of complex documents here with multiple different figures, tables, charts, and assets) are able to work in each other's environment.  Very frequently they either need to be converted from one format to another to be "compatible", however usually it doesn't work. 


My background?  I'm a civil engineering researcher who's been working within the Linux environment as well as Windows environment.  When most of your colleagues send you in DOCX and when your powerpoint presentation files are all sent in PPTX, you can't edit those and then head out to present them in LibreOffice or other software.  They either get wonky, they either get messed up, or they just break.  The best way to minimize potential issues is to simply use each document that's native to each software.  Unless I send my document file as a PDF, they look fairly different between a LibreOffice environment and a Microsoft Office environment. 


I like Linux as the next guy, and I use it everyday.  However for some of my colleagues who aren't as technically experienced as many people on this forum (and for majority of the scientific community), Windows is usually the way to go.  You can't really tell your auditors "yeah I can't get the powerpoint showing right because I use a different software".  You can't tell the government decision makers your part of the report was messed up because you made it in LibreOffice.  It doesn't work that way.  Most of the time, to minimize headache, you use Microsoft Products.


----------



## graeme (Jan 26, 2016)

HalfEatenPie said:


> however the general stigma behind Linux for the longest time was that it was difficult to work with and only "nerds" use them.



Perception, not reality.



HalfEatenPie said:


> Therefore there's a potential for data loss (frequently expressed in the form of wonky formatting) between the two.



Not my experience. I do send documents that do not need editing as PDFs though - it looks more professional as well (I realised this when a broker used to send me their morning note as a PDF most days, but as a .doc when they were in a hurry, and the contrast made me realise how ugly the .doc looked).
 


Also, ODF is a standard fully supported by everything other than MS Word. In particular Google Docs has good ODF support.



HalfEatenPie said:


> You can't tell the government decision makers your part of the report was messed up because you made it in LibreOffice.  It doesn't work that way.  Most of the time, to minimize headache, you use Microsoft Products.



So everyone in the UK should switch to using an ODF native office suite as it is ODF is the UK government standard (it is easily  the commonest download format after PDF on .gov.uk and MS formats have almost disappeared)?


----------



## drmike (Jan 27, 2016)

GM2015 said:


> The problem with wordpress developers is that they keep adding more useless bloating features as they are fixing their previous security flaws.
> 
> 
> Like emojiis. I mean really?
> ...



Emojis.... Those are for the window lickers on the short bus.  I mean really, if you communicate strictly in emojis and that ebonics fake word hood speak stuff, contemplate walking across a highway while texting, just for me...  Have your friends record it and upload it to Instagram for me, you farking hipsters.



wlanboy said:


> Looking at the TOP-50 providers of CVE issues:
> 
> 
> You have the Who-Is-Who of software developers.
> ...



That there is victimhood by value of target mostly.  Get to flipping those numbers and identifying the effected products, might see some companies are n00bs on lifespan vs. security gape in public.  I hate everything about Microsoft, but at least today, they get a shit rep for failings back long ago.   Lots of ways to probably re-rank that data.  Not every vulnerability is the same potential or out in wild disclosure.  Some have been full frontal nudity and smashing vulns that should make their mamas ashamed.


Security by obscurity is still semi alright.  I mean it's flawed, everything is.  But using own crafted stuff with good code and verification checking all over goes a long way.  Low value target some random site is... even commercial small biz can be unphased and non targeted under such.  Mask other aspects of the stack or mix it all up --- yeah that's a long old trick - remove the fingerprint ability to identify middleware for instance, mask PHP as whatever else, bury the PHP default stuff, remix output stack, hide the web server as whatever and it's quite funny.  Logs get quite interesting watching automated hackass poke the wrong stuff.


Now back in the day, crafty folks did all that and honeypotted them. Kept it going too.  Keep feeding me your exploits kiddos.


Way way back in the day, I rerouted your PBX, or even higher in the telco switch and put you on a simulated system with your closed and never compromised system, via modems of course. Easy peasy.  Thanks for the data  Back side horror of the obscurity single vendor crazy systems is / was and likely remains, that the credentials just then sniped on the simulator, they worked everywhere such was.  Mine the database / data for other systems, have fun for now until eternity.


Just saying the approach of obscurity is kind of viable if you have a team and limited footprint / instances in wild or some stringed management to mass rekey things near time in seconds.


----------



## clarity (Jan 27, 2016)

GM2015 said:


> The problem with wordpress developers is that they keep adding more useless bloating features as they are fixing their previous security flaws.
> 
> 
> Like emojiis. I mean really?
> ...



You do know that the entire emoji support thing was a ruse to hide a security fix that they had been implementing over several releases?


https://poststatus.com/the-trojan-emoji/


You can talk about WordPress all you would like, but the truth is that it runs most of the top sites in the world. It is just like every other popular application out there. It is being used heavily so people are going to target it. If you make smart decisions and install things from known sources, you are probably safe. If you go install something from a random website, you probably aren't.


Hackers and attackers are going to spend time crafting attacks for the largest audiences possible. WordPress fits into this category, and it is doing things to make itself more secure. You can't fault it there.


----------



## drmike (Jan 27, 2016)

clarity said:


> You do know that the entire emoji support thing was a ruse to hide a security fix that they had been implementing over several releases?
> 
> 
> https://poststatus.com/the-trojan-emoji/
> ...



Freaking awesome post and story. 


I keep moving more towards no-ware / flat HTML style stuff with some inclusions of elements common via actual web server... away from any running application layer...  application layers get stuffed on LAN / private networks.  


Wordpress is malware for most users.  Just is the nature of that 'customer' base.  They need to do more about the issue with the plugins... Lord knows that gets the blame... rightly so, as I've caught malware / JS payloads in such and reported and had old stuff finally purged from pool of plugins... shame when I am finding crap as a never-use 'customer'.


----------



## wlanboy (Jan 27, 2016)

drmike said:


> I keep moving more towards no-ware / flat HTML style stuff with some inclusions of elements common via actual web server... away from any running application layer...



That is the reason for the html-generator boom.


Static site generators like:


https://getnikola.com/

http://blog.getpelican.com/

http://hyde.github.io/


----------



## graeme (Jan 27, 2016)

clarity said:


> You can talk about WordPress all you would like, but the truth is that it runs most of the top sites in the world.



Can you name some of them? I have not heard of any real large sites run primarily on Wordpress (quite a few sites use it just for the blog). How many of these run on Wordpress http://www.alexa.com/topsites/global;0 ? The ones I have read about mostly use an in house developed platform or platforms.  The only exception is Instagram which is Django based (as is Disqus which is huge but not much visited as a standalone site). Twitter used to use RoR but I am not sure whether it has been entirely replaced or is still used for some stuff.


----------



## DomainBop (Jan 28, 2016)

graeme said:


> Can you name some of them? I have not heard of any real large sites run primarily on Wordpress (*quite a few sites use it just for the blog*). How many of these run on Wordpress http://www.alexa.com/topsites/global;0 ?



Many of the top 250 sites use WordPress to manage some of their content, but according to this article from last July, out of the top 100 sites the only site that runs primarily on WordPress is (drum roll) Wordpress.com (#39).  The only other site in the top 250 that runs primarily on WordPress is (drum roll again) Wordpress.org  (#214).


----------



## graeme (Jan 28, 2016)

@drmike I once once asked to add an enhancement to a website. I took one look at the code, and apart from the fact it was impossible to work with (I suspect a code generator had been used - or a LOT of copy and paste) it was full of security holes: Raw input used in SQL queries for every form on the site, an old install of PHPMyAdmin that did not require login (you just navigated to the right URL and you could admin the database) and a lot more. I reimplemented the site, but it had been running for years with all those holes in it and nothing ever happened. Pure security by obscurity. Small business site, but quite busy and high value for a small business site (the company does get most of its business from enquiries on its website).

I agree entirely about security stats.  Even if compare you products rather than vendors, it is very hard to compare like-for-like. You cannot compare the Linux kernel to windows, because the kernel is not an OS, just a component. You cannot compare Windows to a Linux distro, unless you compare installs with equivalent functionality -  you could do it, but it would be a lot of work as you cannot meaningfully compare default installs. Then disclosure is not equal: open source projects are forced to be a lot more transparent, whereas proprietary software fixes that have not been disclosed can be slipped into an update. Different vendors have different disclosure policies. Then there are things like the speed at which fixes are done and distributed, how good update mechanisms are, etc.


@DomainBop Good article. Annoying headline though. I am not the least shocked that big sites tend to use Wordpress when it is well suited to what they want to do.


----------



## Licensecart (Jan 28, 2016)

graeme said:


> Can you name some of them? I have not heard of any real large sites run primarily on Wordpress (quite a few sites use it just for the blog). How many of these run on Wordpress http://www.alexa.com/topsites/global;0 ? The ones I have read about mostly use an in house developed platform or platforms.  The only exception is Instagram which is Django based (as is Disqus which is huge but not much visited as a standalone site). Twitter used to use RoR but I am not sure whether it has been entirely replaced or is still used for some stuff.





WHMCS (Ok just checked their new one doesn't but they do use it for their blog) and Blesta, even InterWorx use Wordpress, but I know Blesta has a new one in development which doesn't use Wordpress just pure SCSS and Html .


----------



## graeme (Jan 28, 2016)

WHMCS is not one of the"top sites in the world", nor are the others.


----------



## clarity (Jan 28, 2016)

There is a list of their big clients that use WordPress VIP.


https://vip.wordpress.com/clients/


Below, they run 25% of the top 10,000 websites. If top 10,000 isn't big to you, I don't know what to say.


http://trends.builtwith.com/cms/WordPress


----------



## Licensecart (Jan 28, 2016)

graeme said:


> WHMCS is not one of the"top sites in the world", nor are the others.



Popular enough.


----------



## serverian (Jan 28, 2016)

Wordpress is cancer.


Just like cancer, it's easy to obtain and easy to spread.


Here's what Wordpress did over the years:


- Lots of crappy coders with its laughable coding practices and low entry barrier to actually extend the code. This has trashed the reputation of PHP coders in general.
- Internet being full of spam content websites. The golden SEO children have generated automated plagiarized and scrambled content that have no value.
- Trashed website building market. New age web designers are just people who do a wordpress install and buy a template and plugins and call it a website.
- Lots of Layer-7 DDoS attacks due to that stupid blog ping page.
- Lots of rooted servers that are used to attack or spam or phish.
 


It's written with nothing other than a simple blog in mind and they kept putting everything on top of that core without actually improving any quality. This made Wordpress being evolved for the end user/client, not for the actual techy people.


Wordpress is cancer.


----------



## graeme (Jan 29, 2016)

The claim I was responding to was "it runs most of the top sites in the world".


The evidence so far is that it is not true. Wordpress is used by a small minority of the top 250 sites, and of those only wordpress.com and wordpress.org use it as their main platform. wordpress.com is not so much a large site as a collection of small sites. Most of the others use it to run a secondary subsite.

Wordpress is used by a large minority of the top 10,000 sites. Most of these, again, use it to run only a small part of the site (most commonly blogs).


----------



## graeme (Jan 29, 2016)

Just to clarify my opinion of Wordpress:


Wordpress for blogs, or as a small site CMS, relying on WP core and themes that are themes, not plugins in disguise: good

Wordpress with well known and well developed plugins, OK, but there is often/usually a better way of doing it.

Wordpress with less well know plugins: risky and not a good idea.

Wordpress as platform for extensive custom development: a disaster.


----------



## NickL (Feb 1, 2016)

serverian said:


> Wordpress is cancer.
> 
> 
> Just like cancer, it's easy to obtain and easy to spread.
> ...



The XML-RPC pingback attacks that can derive from WP websites can be used for DDoS attacks, but they are also there for a legitimate reason which is good to keep in mind.


----------



## DomainBop (Feb 1, 2016)

NickL said:


> The XML-RPC pingback attacks that can derive from WP websites can be used for DDoS attacks, but they are also there for a legitimate reason which is good to keep in mind.



...and you are the expert on attacks https://www.google.com/search?q=orcahub+and+booter


----------



## Nyr (Feb 3, 2016)

How THE FUCK they can still be infected after 10 full days.


I was going to contact them for a quote and just got redirected to the malware. Obviously don't want the service any longer.


This is ridiculous.


----------



## HalfEatenPie (Feb 3, 2016)

Nyr said:


> How THE FUCK they can still be infected after 10 full days.
> 
> 
> I was going to contact them for a quote and just got redirected to the malware. Obviously don't want the service any longer.
> ...



I think they just clear the malware, but they don't actually patch the hole. (That's what he said?)


----------



## Nyr (Feb 3, 2016)

HalfEatenPie said:


> I think they just clear the malware, but they don't actually patch the hole. (That's what he said?)



Ridiculous anyway.


----------



## DomainBop (Feb 3, 2016)

Nyr said:


> How THE FUCK they can still be infected after 10 full days.
> 
> 
> I was going to contact them for a quote and just got redirected to the malware. Obviously don't want the service any longer.
> ...



Probably because the infection wasn't in a plugin.  WordPress 4.4.1 had an open redirection attack vulnerability that was just patched yesterday with the release of v4.4.2 (that's the 2nd major security release issued by WP in the past 3 weeks).



> Wordpress Vulnerability :-
> 
> 
> What it is about?
> ...


----------



## Nyr (Feb 3, 2016)

DomainBop said:


> Probably because the infection wasn't in a plugin.  WordPress 4.4.1 had an open redirection attack vulnerability that was just patched yesterday with the release of v4.4.2 (that's the 2nd major security release issued by WP in the past 3 weeks).



Benefit of the doubt then I guess, in case those were two separate infections.


----------



## Licensecart (Feb 4, 2016)

Interesting: https://blog.malwarebytes.org/exploits-2/2016/02/nuclear-ek-leveraged-in-large-wordpress-compromise-campaign/?utm_source=twitter&utm_medium=social that sounds like the redirect you might have had.


----------



## HalfEatenPie (Feb 4, 2016)

I mean....  Two days ago or so I got this email:



> National Cyber Awareness System:
> 
> 
> 
> ...



So....


----------



## drmike (Feb 4, 2016)

HalfEatenPie said:


> I mean....  Two days ago or so I got this email:
> 
> 
> So....



Repeat after me, WORPRESS NEVER GETS EXPLOITED.  It's the plugins 


Everything gets exploited.  More marketshare, higher value target, that simple.


----------



## tmzVPS-Daniel (Feb 4, 2016)

WP never gets exploited, how many times have I heard that... 


- Daniel


----------



## drmike (Feb 4, 2016)

tmzVPS-Daniel said:


> WP never gets exploited, how many times have I heard that...
> 
> 
> - Daniel



WP has been infected more than EZE Straight Out of Compton was.


----------



## HalfEatenPie (Feb 4, 2016)

drmike said:


> Repeat after me, WORPRESS NEVER GETS EXPLOITED.  It's the plugins
> 
> 
> Everything gets exploited.  More marketshare, higher value target, that simple.



Shush.


I stand corrected lel.


----------



## PowerUpHosting-Udit (Feb 5, 2016)

drmike said:


> Repeat after me, WORPRESS NEVER GETS EXPLOITED.  It's the plugins
> 
> 
> Everything gets exploited.  More marketshare, higher value target, that simple.



Yes, none of us can live without WordPress and all the plugins


----------



## HN-Matt (Apr 1, 2016)

serverian said:


> Wordpress is cancer.
> 
> 
> Just like cancer, it's easy to obtain and easy to spread.
> ...



Gonna necro this for cancer research.

My thinking on the 'golden SEO children' phenomena: what if their zany autoplagiarism shtick is an absurdist parody / satire of certain cancerous economic behaviour that is infinitely contemptible? (i.e. thereby providing endless material for its own ridicule prior to the point of its own unforeseen autorelinquishment). At the same time the gesture might function as a serendipitous inway for cancer research, suggesting deeper structural causes.


----------

