WordPress – Be Ready To Be Hacked Again

Ahh… the dreaded

3.0.4 Important Security Update

…a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as “critical.”

Yeah. What that says to me is, “A hacker has already looked at the vulnerabilities in 3.0.3 and written a script to exploit it and deployed it on the websites he/she has already hacked so that it can go out and get access to even more web servers by simply crawling the web looking for WordPress installations that haven’t been updated yet.”

How long does that take? I dunno. Sitting with a file comparison utility and copies of 3.0.3 and 3.0.4 it oughtn’t take long to spot where the changes were made. Then simply figure out what the changes are patching, then write a bit of script code to deploy it. I’d assume the hacker already has some kind of code in place to crawl the web and/or use google searches to locate WordPress blogs. So for someone who knows what they’re doing, maybe this takes 15 minutes — maybe 2 hours.

Now: How fast can a computer access a website, attempt to run whatever the exploit is, and then install remv.php (or whatever the newest crack is that opens up your server for any kind of future use by the hacker)?

And then remember that by virtue of having already done this hacking before, the hacker might ALREADY have a bot army of thousands of computers that can be deployed with this new hacking script.

And then remember this isn’t about “A hacker” — this is about hackerS. How many people do this sort of thing? On the whole planet? Probably more than 5. Probably more than 10. And how many webservers do they already have doing their bidding to run the newest exploit against all the other websites. Probably more than ___?

This is the part I hate about using WordPress for anything.

My favorite part: Last time something like this bit me, all the WordPress forums were filled with the “super-fanboys” who blamed typical users for not being fast enough to update their websites before their sites were exploited. It’s the ultimate “Fuck You” from WordPress — after all, it’s not some HUMAN going from site to site trying to exploit it, it’s a computer running a script. That’s a case where computers are SIGNIFICANTLY faster than humans.

Why doesn’t WordPress AUTOMATICALLY upgrade itself? It is aware that there’s an update (the admin panel told me so).

It’s not like the upgrade could possibly screw things up worse than having my site and possibly everything in my hosting account compromised and the resulting damage to search rankings as my site is filled with ads for Viagra and porn and gambing.

Totally wasn’t planning on needing to deal with upgrading every site I own today. I’d like to have a life that doesn’t involve being a slave to the capricious wishes of computers (and that also goes for Bill Gates and my Windows computer wanting to update instead of letting me work — but that’s a separate rant).