Fiberhub Website has been infected....

[graeme]

@HalfEatenPie I have been using Wordpress for 10 years - as a blogging platform. I used to like it and wrote themes and plugins for it (even some other people use). I am now happy to use it for blogging but I no longer customise it or develop on it. I also harden it.


My point is that the main reason it is so widely used is that people want to use all those plugins. If people only used Wordpress for its "intended purpose" then far fewer people would use Wordpress.


The other problem is that Wordpress makes it easier to write insecure code. I prefer to use frameworks that do a lot of the work for you. I thin you will find that Drupal will be more secure in the future now that it is Symfony based.

For development I usually use Django which uses an ORM so SQL queries are always escaped (unless you avoid using the ORM), adds CSRF protection to forms by default. etc. It is also a lot more productive and Python is a much nicer language then PHP.

 

[graeme]

This is a bit off topic, but I cannot let this go with out replying

Windows and Mac are considered easier to use and work on, especially since more people are familiar with them as well as having more resources available.

Considered incorrectly. For one thing, Linux is a lot easier to keep secure. It also had a lot of user friendly features that Windows and MacOS later copied (such as "App stores") and most Linxux package managers are still far superior. My wife and kids have no problems using Linux (and they complain about Windows when they have to use it).
 

The ability to communicate between a Windows environment and a Linux environment isn't that easy and very frequently requires a complex setup to do it properly.  For example, Microsoft Word uses docx standardized filetype for their word documents whereas OpenOffice/LibreOffice use odt.  odt is an open standard as well as docx being another open standard. 

MS Office now supports ODF https://en.wikipedia.org/wiki/OpenDocument#Software

I have been using Linux for about 14 years and had problems with MS office documents only two or three times.
 

 

[HalfEatenPie]

This is a bit off topic, but I cannot let this go with out replying


Considered incorrectly. For one thing, Linux is a lot easier to keep secure. It also had a lot of user friendly features that Windows and MacOS later copied (such as "App stores") and most Linxux package managers are still far superior. My wife and kids have no problems using Linux (and they complain about Windows when they have to use it).

https://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0 .  That's relative to each person, however the rest of the world utilize Windows.  Good for your family for adopting windows and enjoying the package manager, however the general stigma behind Linux for the longest time was that it was difficult to work with and only "nerds" use them (doesn't help Arch Linux fanatics sometimes have their way of calling out shit).  Call it what you want, however many people are introduced to Windows first and therefore for them, quite often, more convenient for them.  

MS Office now supports ODF https://en.wikipedia.org/wiki/OpenDocument#Software

I have been using Linux for about 14 years and had problems with MS office documents only two or three times.
 

If you read my post properly, you would realize I did state the MS Office supports ODF.  LibreOffice supports docx and MS Office supports ODF.  What I'm stating is that that's not their native format that they regularly use and save under.  Therefore there's a potential for data loss (frequently expressed in the form of wonky formatting) between the two.  I never said they're 100% incompatible, I'm simply stating that there is no standard where both documents (I'm speaking of complex documents here with multiple different figures, tables, charts, and assets) are able to work in each other's environment.  Very frequently they either need to be converted from one format to another to be "compatible", however usually it doesn't work. 


My background?  I'm a civil engineering researcher who's been working within the Linux environment as well as Windows environment.  When most of your colleagues send you in DOCX and when your powerpoint presentation files are all sent in PPTX, you can't edit those and then head out to present them in LibreOffice or other software.  They either get wonky, they either get messed up, or they just break.  The best way to minimize potential issues is to simply use each document that's native to each software.  Unless I send my document file as a PDF, they look fairly different between a LibreOffice environment and a Microsoft Office environment. 


I like Linux as the next guy, and I use it everyday.  However for some of my colleagues who aren't as technically experienced as many people on this forum (and for majority of the scientific community), Windows is usually the way to go.  You can't really tell your auditors "yeah I can't get the powerpoint showing right because I use a different software".  You can't tell the government decision makers your part of the report was messed up because you made it in LibreOffice.  It doesn't work that way.  Most of the time, to minimize headache, you use Microsoft Products. 

 

[graeme]

however the general stigma behind Linux for the longest time was that it was difficult to work with and only "nerds" use them.

Perception, not reality.

Therefore there's a potential for data loss (frequently expressed in the form of wonky formatting) between the two.

Not my experience. I do send documents that do not need editing as PDFs though - it looks more professional as well (I realised this when a broker used to send me their morning note as a PDF most days, but as a .doc when they were in a hurry, and the contrast made me realise how ugly the .doc looked).
 


Also, ODF is a standard fully supported by everything other than MS Word. In particular Google Docs has good ODF support.

You can't tell the government decision makers your part of the report was messed up because you made it in LibreOffice.  It doesn't work that way.  Most of the time, to minimize headache, you use Microsoft Products. 

So everyone in the UK should switch to using an ODF native office suite as it is ODF is the UK government standard (it is easily  the commonest download format after PDF on .gov.uk and MS formats have almost disappeared)?

 

[drmike]

The problem with wordpress developers is that they keep adding more useless bloating features as they are fixing their previous security flaws.


Like emojiis. I mean really?


Are you developing the platform for 15 year olds?

Emojis.... Those are for the window lickers on the short bus.  I mean really, if you communicate strictly in emojis and that ebonics fake word hood speak stuff, contemplate walking across a highway while texting, just for me...  Have your friends record it and upload it to Instagram for me, you farking hipsters.

Looking at the TOP-50 providers of CVE issues:


You have the Who-Is-Who of software developers.
I don't think that using popular software is less secure than using that-new-shiny Phyton thing.


All that discussion reminds me of the "security by obscurity" dogma. The Hackaz don't know my software so it is secure.

That there is victimhood by value of target mostly.  Get to flipping those numbers and identifying the effected products, might see some companies are n00bs on lifespan vs. security gape in public.  I hate everything about Microsoft, but at least today, they get a shit rep for failings back long ago.   Lots of ways to probably re-rank that data.  Not every vulnerability is the same potential or out in wild disclosure.  Some have been full frontal nudity and smashing vulns that should make their mamas ashamed.


Security by obscurity is still semi alright.  I mean it's flawed, everything is.  But using own crafted stuff with good code and verification checking all over goes a long way.  Low value target some random site is... even commercial small biz can be unphased and non targeted under such.  Mask other aspects of the stack or mix it all up --- yeah that's a long old trick - remove the fingerprint ability to identify middleware for instance, mask PHP as whatever else, bury the PHP default stuff, remix output stack, hide the web server as whatever and it's quite funny.  Logs get quite interesting watching automated hackass poke the wrong stuff.


Now back in the day, crafty folks did all that and honeypotted them. Kept it going too.  Keep feeding me your exploits kiddos.


Way way back in the day, I rerouted your PBX, or even higher in the telco switch and put you on a simulated system with your closed and never compromised system, via modems of course. Easy peasy.  Thanks for the data Back side horror of the obscurity single vendor crazy systems is / was and likely remains, that the credentials just then sniped on the simulator, they worked everywhere such was.  Mine the database / data for other systems, have fun for now until eternity.


Just saying the approach of obscurity is kind of viable if you have a team and limited footprint / instances in wild or some stringed management to mass rekey things near time in seconds.

 

[clarity]

The problem with wordpress developers is that they keep adding more useless bloating features as they are fixing their previous security flaws.


Like emojiis. I mean really?


Are you developing the platform for 15 year olds?

You do know that the entire emoji support thing was a ruse to hide a security fix that they had been implementing over several releases?


https://poststatus.com/the-trojan-emoji/


You can talk about WordPress all you would like, but the truth is that it runs most of the top sites in the world. It is just like every other popular application out there. It is being used heavily so people are going to target it. If you make smart decisions and install things from known sources, you are probably safe. If you go install something from a random website, you probably aren't.


Hackers and attackers are going to spend time crafting attacks for the largest audiences possible. WordPress fits into this category, and it is doing things to make itself more secure. You can't fault it there.

 

[drmike]

You do know that the entire emoji support thing was a ruse to hide a security fix that they had been implementing over several releases?


https://poststatus.com/the-trojan-emoji/


You can talk about WordPress all you would like, but the truth is that it runs most of the top sites in the world. It is just like every other popular application out there. It is being used heavily so people are going to target it. If you make smart decisions and install things from known sources, you are probably safe. If you go install something from a random website, you probably aren't.


Hackers and attackers are going to spend time crafting attacks for the largest audiences possible. WordPress fits into this category, and it is doing things to make itself more secure. You can't fault it there.

Freaking awesome post and story. 


I keep moving more towards no-ware / flat HTML style stuff with some inclusions of elements common via actual web server... away from any running application layer...  application layers get stuffed on LAN / private networks.  


Wordpress is malware for most users.  Just is the nature of that 'customer' base.  They need to do more about the issue with the plugins... Lord knows that gets the blame... rightly so, as I've caught malware / JS payloads in such and reported and had old stuff finally purged from pool of plugins... shame when I am finding crap as a never-use 'customer'.

 

[wlanboy]

I keep moving more towards no-ware / flat HTML style stuff with some inclusions of elements common via actual web server... away from any running application layer...  

That is the reason for the html-generator boom.


Static site generators like:

• https://getnikola.com/
  
• http://blog.getpelican.com/
  
• http://hyde.github.io/
  

 

[graeme]

You can talk about WordPress all you would like, but the truth is that it runs most of the top sites in the world.

Can you name some of them? I have not heard of any real large sites run primarily on Wordpress (quite a few sites use it just for the blog). How many of these run on Wordpress http://www.alexa.com/topsites/global;0 ? The ones I have read about mostly use an in house developed platform or platforms.  The only exception is Instagram which is Django based (as is Disqus which is huge but not much visited as a standalone site). Twitter used to use RoR but I am not sure whether it has been entirely replaced or is still used for some stuff.

 

[DomainBop]

Can you name some of them? I have not heard of any real large sites run primarily on Wordpress (quite a few sites use it just for the blog). How many of these run on Wordpress http://www.alexa.com/topsites/global;0 ? 

Many of the top 250 sites use WordPress to manage some of their content, but according to this article from last July, out of the top 100 sites the only site that runs primarily on WordPress is (drum roll) Wordpress.com (#39).  The only other site in the top 250 that runs primarily on WordPress is (drum roll again) Wordpress.org  (#214).

 

[graeme]

@drmike I once once asked to add an enhancement to a website. I took one look at the code, and apart from the fact it was impossible to work with (I suspect a code generator had been used - or a LOT of copy and paste) it was full of security holes: Raw input used in SQL queries for every form on the site, an old install of PHPMyAdmin that did not require login (you just navigated to the right URL and you could admin the database) and a lot more. I reimplemented the site, but it had been running for years with all those holes in it and nothing ever happened. Pure security by obscurity. Small business site, but quite busy and high value for a small business site (the company does get most of its business from enquiries on its website).

I agree entirely about security stats.  Even if compare you products rather than vendors, it is very hard to compare like-for-like. You cannot compare the Linux kernel to windows, because the kernel is not an OS, just a component. You cannot compare Windows to a Linux distro, unless you compare installs with equivalent functionality -  you could do it, but it would be a lot of work as you cannot meaningfully compare default installs. Then disclosure is not equal: open source projects are forced to be a lot more transparent, whereas proprietary software fixes that have not been disclosed can be slipped into an update. Different vendors have different disclosure policies. Then there are things like the speed at which fixes are done and distributed, how good update mechanisms are, etc.


@DomainBop Good article. Annoying headline though. I am not the least shocked that big sites tend to use Wordpress when it is well suited to what they want to do.

 

[Licensecart]

Can you name some of them? I have not heard of any real large sites run primarily on Wordpress (quite a few sites use it just for the blog). How many of these run on Wordpress http://www.alexa.com/topsites/global;0 ? The ones I have read about mostly use an in house developed platform or platforms.  The only exception is Instagram which is Django based (as is Disqus which is huge but not much visited as a standalone site). Twitter used to use RoR but I am not sure whether it has been entirely replaced or is still used for some stuff.

WHMCS (Ok just checked their new one doesn't but they do use it for their blog) and Blesta, even InterWorx use Wordpress, but I know Blesta has a new one in development which doesn't use Wordpress just pure SCSS and Html .

 

[graeme]

WHMCS is not one of the"top sites in the world", nor are the others.

 

[clarity]

There is a list of their big clients that use WordPress VIP.


https://vip.wordpress.com/clients/


Below, they run 25% of the top 10,000 websites. If top 10,000 isn't big to you, I don't know what to say.


http://trends.builtwith.com/cms/WordPress

 

[Licensecart]

WHMCS is not one of the"top sites in the world", nor are the others.

Popular enough.

 

[serverian]

Wordpress is cancer.


Just like cancer, it's easy to obtain and easy to spread.


Here's what Wordpress did over the years:


- Lots of crappy coders with its laughable coding practices and low entry barrier to actually extend the code. This has trashed the reputation of PHP coders in general.
- Internet being full of spam content websites. The golden SEO children have generated automated plagiarized and scrambled content that have no value.
- Trashed website building market. New age web designers are just people who do a wordpress install and buy a template and plugins and call it a website.
- Lots of Layer-7 DDoS attacks due to that stupid blog ping page.
- Lots of rooted servers that are used to attack or spam or phish.
 


It's written with nothing other than a simple blog in mind and they kept putting everything on top of that core without actually improving any quality. This made Wordpress being evolved for the end user/client, not for the actual techy people.


Wordpress is cancer.

 

[graeme]

The claim I was responding to was "it runs most of the top sites in the world".


The evidence so far is that it is not true. Wordpress is used by a small minority of the top 250 sites, and of those only wordpress.com and wordpress.org use it as their main platform. wordpress.com is not so much a large site as a collection of small sites. Most of the others use it to run a secondary subsite.

Wordpress is used by a large minority of the top 10,000 sites. Most of these, again, use it to run only a small part of the site (most commonly blogs).

 

[graeme]

Just to clarify my opinion of Wordpress:

1. Wordpress for blogs, or as a small site CMS, relying on WP core and themes that are themes, not plugins in disguise: good
   
2. Wordpress with well known and well developed plugins, OK, but there is often/usually a better way of doing it.
   
3. Wordpress with less well know plugins: risky and not a good idea.
   
4. Wordpress as platform for extensive custom development: a disaster.
   

 

[NickL]

Wordpress is cancer.


Just like cancer, it's easy to obtain and easy to spread.


Here's what Wordpress did over the years:


- Lots of crappy coders with its laughable coding practices and low entry barrier to actually extend the code. This has trashed the reputation of PHP coders in general.
- Internet being full of spam content websites. The golden SEO children have generated automated plagiarized and scrambled content that have no value.
- Trashed website building market. New age web designers are just people who do a wordpress install and buy a template and plugins and call it a website.
- Lots of Layer-7 DDoS attacks due to that stupid blog ping page.
- Lots of rooted servers that are used to attack or spam or phish.
 


It's written with nothing other than a simple blog in mind and they kept putting everything on top of that core without actually improving any quality. This made Wordpress being evolved for the end user/client, not for the actual techy people.


Wordpress is cancer.

The XML-RPC pingback attacks that can derive from WP websites can be used for DDoS attacks, but they are also there for a legitimate reason which is good to keep in mind.

 

[DomainBop]

The XML-RPC pingback attacks that can derive from WP websites can be used for DDoS attacks, but they are also there for a legitimate reason which is good to keep in mind.

...and you are the expert on attacks https://www.google.com/search?q=orcahub+and+booter