25 Comments

  1. Charlie Merland

    Still wondering how so many websites are vulnerable when security updates should be automatically applied via auto-updates… AFAIK disabling auto-updates requires explicit action by the site’s owner/developer; Why would so many people disable this?

    Report

    • mark k.

      In reality, it is exactly the other way around. To have the feature working you need the webserver to be able to write to your code directories which is against web security good practices. It is also not very easy to set the correct directory permission if you are not familiar with the linux file permissions model which is way above the heads of the avarage wordpress user.

      And while defacements suck, most of those sites that have their file permissions set in a secure way, will be abale to avoid the most obvious remote executions attacks that are being attempted now.

      The right solution (if you are one of those that never heard how 4.7.1 broke sites, and therefor happy to install whatever software without checking it first) is to have the hosting companyhave some script of their own to do that which will run as a root user, eliminating all the permission complexities. I know siteground do that, probably other big hosters as well, but smaller ones might not even know that there is an issue that needs to be resolved.

      Report

      • Charlie Merland

        OK, I’ve been using Linux for 15 years so I didn’t even think of permissions as an issue here. Since you need to explicitly disable auto-updates I assumed people doing so were familiar with good permission setting too.

        Personally I’ve never had a single issue with auto-updates, even 4.7.1, so I’m pretty comfortable with letting them apply automatically. If anything goes wrong I’m usually able to step in within a few hours to fix whatever’s broken.

        Report

    • neo

      Because in the past websites tend to crash on auto updates when plugins or themes where not ready to follow the changes WP made as they have and had a reputation of dropping functions/functionalities and add new ones instead without keeping the legacy code running. And nobody wants their site to go down. See what happened last year with one of the big changes in a Yoast Seo update. WP had a similar reputation. So developers started to turn off auto updates because of that.

      Report

  2. Jay Syder

    I know there are some installing apps for cpanel that either do by default like wptavern mentioned can’t remember which one it was. And other giving the option to turn auto updates off which maybe a lot of people do due to worrying it will break their site not sure.

    Would be interesting if there was a break down of what versions of WordPress are being hacked e.g. 4.7 to 4.6 and so on.

    Report

  3. Paul Gilzow

    Also, many organizations run under strict change management policies where auto updates are not allowed. Emergency patching can be done but this update, initially, didn’t appear to be an emergency patch situation.

    Report

  4. Kevin

    Obviously, auto updates is a feature not many are comfortable with. Thanks for sharing this…it’s really useful information.

    Report

  5. neo

    I am sorry to say that once again regardless of all publicity and probably more clients it gains for sucuri both wordpress and sucuri should not have brought the how to into the open. They should have kept their mouth shut and should have waited until they were absolutely sure that most websites have been updated. With bringing this into the open they put all these websites at risk and people have to restore their work. Any idea what economical costs this caused! I believe it is very stupid and irresponsible to disclose the how to hack into a website. Sucuri did this in august 2014 with the revslider hack and now they did it again. Whereas in august 2014 they never mentioned that the leak was already closed in februari of that year and that the hack only occured on websites that had not updated the plugin. It was just a win win situation for them then and now.

    Report

  6. Chris

    I have disabled the REST API with a simple code snippet, no extra plugin is needed, found it here:

    https://www.antary.de/2016/12/07/wordpress-rest-api-deaktivieren/

    Report

  7. Ben Coates

    Here’s an idea. Why not implement a traffic-light system for wordpress updates? Red is critical, amber is urgent, green is “whenever”. That way, you can say “hey, this is really important” without initially disclosing the details of the exploit.

    Report

    • neo

      People dont stop at traffic lights. Although i like the idea. But Sucuri should have kept their mouth shut on how to use this exploit. Its like little children wanted to be first with something.

      Report

  8. Chuck

    Glad I decided to stay at 4.6.x for my sites.

    Report

    • neo

      You can say that out loud ! :-)

      Report

    • David Artiss

      Just to be clear, 4.7 fixed a number of security issues too so remaining on 4.6.x isn’t really keeping you ‘safe’.

      Report

      • mark k.

        you are joking, right? lets compare the number of sites that run 4.6 that were hacked to the number of sites that run 4.7.

        The problem is actually that the opposite of what you say is true. There is simply no continuous improvement
        In the quality of core’s code. The bug causing this issue is a basic input sanitation bug, and I could dig into who submitted the code, and point the finger at him, but the truth is that the people that were supposed to code review the code and QA the code are actually more to blame than the poor guy/girl that actually wrote it. The fact that this kind of code made it to a release shows that there is no proper process to ensure that the next release will be “better” than the previous one.
        And all the people involved in the rest API are wordpress veterans so “it was a newbe mistake”, can not be a valid excuse (if it can ever be).

        Every release adds more unuseful bloat to the previous one, instead of fixing the structural problems of it. Why do you thing that a 4.8 release, which focus only on UI, will have a better security than 4.7?

        Report

      • Chuck

        All the relevant fixes have been pushed back to 4.6.2 as well.

        Report

  9. Mike

    Just want to say thank you for drawing attention to the fact that this was effectively hidden from a majority of site owners with the decision to not publish a new post on the News blog or tweet about it from the official account. It gives the impression that WP was trying not to publicize it which is really troubling and absolutely caused more damage.

    Report

  10. Jeffrey

    I got two emails last week from Drupal Security Advisories regarding two security vulnerabilities and updates marked Critical and Highly Critical. Does WordPress have this service to notify all WordPress.org users who opted in to receive security notification of critical update like this WP REST API?

    Report

    • Pratik - CMS Consultant

      Hi Jeffrey, if WordPress do that, then they will loose the market share. They are more focused on Market share and less focused on taking responsibilities for the WordPress powered websites. And that is the reason we love Drupal. Clients do trust us because we are always ahead of time when we are with Drupal. With WordPress we have to be reactive and that is really risky, especially when you are working on high traffic, large content sites. We still work with WordPress when it’s flexibility helps but not if we see a potential threat considering the site objective. Eg. Simple Corporate site is good with WordPress but not a University Portal.

      Report

  11. Peter

    At the end all these attacks will make whole internet a better place. It’s just a cleaning of outdated and unmanaged enviroments/websites. Also it pushes those who care, to build more secure sites and hosting enviroments.

    Report

    • Chuck

      Agree with your latter point but you can’t really say that those exposed (unknowingly) that were on a 4.7 or 4.7.1 install should be considered “outdated and unmanaged”…

      Report

  12. Marin

    This is a small plugin to disable REST API completely and for all users, not just for anonymous.

    Report

Comments are closed.

%d bloggers like this: