Millions At Risk From Critical Vulnerabilities From WordPress Plugins 145
First time accepted submitter dougkfresh writes "Checkmarx's research lab identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection. Furthermore, a concentrated research into e-commerce plugins revealed that 7 out of the 10 most popular e-commerce plugins contain vulnerabilities. This is the first time that such a comprehensive survey was prepared to test the state of security of the leading plugins."
It does seem that Wordpress continues to be a particularly perilous piece of software to run. When popularity and unsafe languages collide.
Not an unsafe language... (Score:5, Insightful)
Re:Not an unsafe language... (Score:4, Funny)
It's not bad coding, those are just misunderstood features. SQL Injection? - That's just a back door we left in for convenience.
Re: (Score:1)
Just bad coding. Any language can be coded with badly. (some more easily or accidentally than others)
Well, yeah, other than [INSERT FAVORITE LANGUAGE HERE]. Any programmer worth his or her salt knows that language has all sorts of obvious safeguards against this sort of thing if you have even the vaguest clue what you're doing, which makes it that much more betterer and you should all use it right now and hire me for lots of money.
Re:Not an unsafe language... (Score:5, Funny)
I personally only use HTML9 Responsive Boilerstrap JS. If you're using any other framework then you're just wasting your time.
Here's a link for you poor slobs that haven't jumped on the bandwagon.
http://html9responsiveboilerstrapjs.com/
Re: (Score:3)
Is it webscale, or does it use joins?
Re: (Score:3)
My marketing department uses it because the rubygems facepalm API really lets us utilize turn-key e-tailers in order to better monetize one-to-one vortals.
Re:Not an unsafe language... (Score:5, Funny)
Is that a dog?
Re:Not an unsafe language... (Score:5, Insightful)
Just bad coding. Any language can be coded with badly. (some more easily or accidentally than others)
Well, yeah, other than [INSERT FAVORITE LANGUAGE HERE]. Any programmer worth his or her salt knows that language has all sorts of obvious safeguards against this sort of thing if you have even the vaguest clue what you're doing, which makes it that much more betterer and you should all use it right now and hire me for lots of money.
Assuming management or the analyst who specs the code gives the coder sufficient time to do it right.
Something I continue to observe in outsourced code is an incredible sense of optimism regarding security. Not because the coder is a fool (well, he/she might be) but because security and good practices are not emphasised, time and cost of up front development are too often the deciding factors.
Re: (Score:2)
Re: (Score:2)
Well, yeah, other than [INSERT FAVORITE LANGUAGE HERE]
ORA-00930: Unknown keyword FAVORITE following INSERT.
Re:Not an unsafe language... (Score:5, Insightful)
Some encourage it more than others, and some provide security-oriented features. For instance perl's taint mode is a great security feature. Truthfully strong typing and mature frameworks go a long ways, IF you know how to use them.
HOWEVER all this is secondary. The appalling thing is THAT NONE OF THESE PLUGINS WERE EVER AUDITED. Any webapp is almost sure to have some sort of hole in it. You can plug them but its tricky and no team will find them all. The question then is how on God's Green Earth have so many people deployed this stuff and not audited it thoroughly (or at all)? I taught web-app security and was one of the earliest people in the business, I'd never in a million years deploy one of these plugins for a client and not beat it to death with a fuzzer and 10 other things. This is just basic crap I was teaching in my college courses 8 years ago (and it wasn't exactly revolutionary then). Hell, I don't consider myself any sort of security genius by a long shot, but all I can say is that there are a lot of scarily ignorant fools out there...
Re:Not an unsafe language... (Score:5, Insightful)
Re: (Score:2)
Indeed, deserves a +1 (for either obvious or funny, but you know, really obvious things can be pretty funny ;)
Re: (Score:3)
The question then is how on God's Green Earth have so many people deployed this stuff and not audited it thoroughly (or at all)?
Because your client will want new plugins every week, gets tired of asking you everytime, and wants you to set up the permissions so that the GUI plugin installer works ("what do you mean not a good idea? the last site I had worked that way and I never had any problems with it"), then proceeds to install all the plugins he needs to make his blog on cats and other larger-than-life stuff buzzword compatible.
Re: (Score:2)
There's so many aspects to everything, you cannot assume everyone is an expert on all areas required. You focus a lot on the security but I can bet your plugins would probably be extremely hard to integrate and use, look like crap and be a usability nightmare.
Re: (Score:2)
No, I wouldn't write them, I'd just security audit the ones I use. Its just insane to drop in an untested configuration of a webapp doing e-commerce. I don't care that someone else wrote it, I ASSUME they are security-incompetent and test.
Granted, other people's responses to my post definitely explain why this crap happens, but it doesn't make it any less scary or eye-rolling. The real problem is people just don't have any idea how bad the stuff they can install free on their servers really is, unless they'
Re: (Score:2)
So what we need is a new language targeted at the Web with security being the first design rule.
The language has to do everything to protect itself and the server, the programmer only calls dark boxes to do what he wants, i.e. no direct access to databases and similar insecure things.
Why is it the programmers who are supposed to never trust their input data? Shouldn't that be the job of the language itself? I bet the language designers, who would only need to do it once and make it built-in, would do a much
Re: (Score:2)
SQL Injection
What we need is for MySQL/MariaDB, PostgreSQL, FireBird, etc., to come configured so that database updates can only take place in stored procedures in which statement building isn't present; and that they also come configured so that when you create a database, two users/roles are created: a role with stored procedure execute privileges only, and the owner, and the database owner can only access the database through the command-line interface.
In other words, what we need is for web programmers
Re: (Score:3)
Does this surprise anyone? There's a good reason why WordPress systems are popular targets for hacking....
That said, to some degree, I blame the language designers for not being more aggressive at forcing people to upgrade their old-style SQL queries to use a more modern, parameterized syntax.
If you really want the web to be more secure, we should:
Re: (Score:2)
Agreed. At least with Perl there IS a taint mechanism and it generally works as you describe (IE you can only untaint data by explicitly calling 'untaint()' or running it through a regex). If you properly use layers like Class::DBA you should never need to compose SQL or have SQL generated in-app, you should be entirely in bind-parameter land (and even that is normally hidden from view). I wrote an entire CMS/e-commerce platform in Perl 15 years ago using those tools. AFAIK no security holes were ever uncov
Re: (Score:2)
IMO, running it through a regular expression shouldn't untaint it, either, unless that happens to be a regular expression specifically designed to quote strings properly for output. But yes.
The biggest problem is that young white hat hackers are few and far between. We don't spend nearly enough time in college courses learning about proper security, and as a result, folks come out of school not knowing it. By the time they actually "get" security, most of them are well on their way to retirement, and th
Re: (Score:2)
aren't always keeping up with the latest programming languages
This is the problem right here. The "latest programming language" is buggy crap.
Re: (Score:2)
Ah, but the latest programming language is buggy crap because the senior people aren't pushing to improve it and the junior people lack the skills. It's a Catch-22/chicken-and-egg sort of problem.
Re: (Score:2)
Re: (Score:2)
<sarcasm>But you'd be a superhero. We could call you Rectum Man. "My plants were all dying for lack of fertilizer, and I didn't know what to do. But then Rectum Man came to help. Thank you, Rectum Man!" Everyone needs 12 more anuses. Everyone.</sarcasm>
What it comes down to is best summarized by this obligatory XKCD [xkcd.com]. Just s/standards/programming languages/g. Alternatively, s/standards/web frameworks/g. And so on. This is why we have Perl, PHP, Python, Ruby, and whatever else has come
Re: (Score:2)
Yeah, I was sorely disappointed when we went from a concentration on Perl/CPAN as the main resource for building web apps to 32 different interchangeable scripting languages which require the same libraries to be written over and over again and each has its own bugs. I mean, sure, perhaps its arguable that Ruby is a better language than Perl, for example, but its not that big a difference and clearly far too little focus has remained on actually writing and maintaining secure webapp code.
But, nobody is in c
Re: (Score:2)
The software market needs a return to basics.
There's a reason we still use grep. Because it was engineered properly.
Re: (Score:2)
Yeah, agreed. I'm an old FORTH programmer, talk about basics. We got more done with that tool at a faster rate BY FAR than any other tool chain in the past 30 years.
Re: (Score:2)
Re: (Score:2)
Not an unsafe language...
Just bad coding. Any language can be coded with badly. (some more easily or accidentally than others)
"Bad coding" is similar to "no true Scotsman"; the goalposts are movable in hindsight. What really matters is how easily we can spot potentially-insecure code when we're browsing a codebase *before* it is exploited.
Let's say our codebase contains, somewhere deep inside, a C function which tramples over unallocated memory. How likely are we to spot this bug as a maintainer, who may occasionally open the file for unrelated purposes? Not very, since unsafe C code looks pretty-much the same as safe C code.
Likew
Re: (Score:2)
But it's 2013 now and in my opinion the language should have long been fixed.
You should probably read this, then [php.net]
Every language is unsafe. (Score:5, Insightful)
It's just that PHP has managed to attract a huge number of absolute retards who do things like evaluate image files (it WAS an image file you uploaded, right? It ended in .gif, right? So it's totally an image file and I shouldn't even be bothered to verify the contents because nobody would ever upload php code ending in .gif) in order to dump the contents out to the browser instead of using ANY of the multiple functions or methods to do just that securely.
Re:Every language is unsafe. (Score:5, Insightful)
More like every language can be used unsafely, and some have built-in weakness in addition. The C language and many of its derivatives have a number of issues that are well known and documented. In that regard both Unix and C are like chainsaws - in skilled hands they make short work of difficult problems that might be far harder or impossible with other tools, but let your attention wander for a moment and you are missing a leg.
Re: (Score:2)
Strictly speaking, it can't be impossible in any Turing complete language if you can do it in another Turing complete language. But the main point stands, the language doesn't matter, one can do bad things in any language.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The moral of this humor is that only one language works: C
Re: (Score:2)
it WAS an image file you uploaded, right? It ended in .gif, right?
I want to become something other than one of these "absolute retards" you mentioned. If GD returns sane values for the image's width, height, and MIME type [php.net], what dangers should I still be aware of?
Re:Every language is unsafe. (Score:4, Informative)
That's the wrong question: instead of performing a dangerous operation only if the input doesn't look suspicious, you should not perform the dangerous operation at all. So if the input data is supposed to be an image, pass it to a function that can only process images. That way, if an attacker does manage to sneak in PHP code disguised as an image, it will just trigger an error condition instead of being executed.
THIS! (Score:2)
Otherwise, it might be possible to create something that is simultaneously a valid image file *and* valid PHP (or SQL, or whatever) code and bypass any checks that you add to validate the file.
Re: (Score:2)
So if the input data is supposed to be an image, pass it to a function that can only process images.
I was under the impression that getimagesize() (the linked function) is "a function that can only process images."
Re:Every language is unsafe. (Score:4, Funny)
They could exploit GD.
The only solution is to have the user base64 encode the binary GIF data, print it and then snail mail it to you.
You can then build a dedicated PC that's not on the network, type out the base64 data, decode it and confirm it's a valid GIF. Then connect that PC to the network and upload the GIF on behalf of the user.
If the GIF was malicious you simply set that dedicated PC on fire, inform the user (via snail mail) "INVALID GIF IMAGE, PLEASE TRY AGAIN" and then buy another dedicated PC for the next GIF you receive.
It's the only way to be safe. I do this with my site and so far so good: I launched one year ago and I've received 1 GIF so far 3 months ago and I'm about 75% done typing all the base64 data. I hope to confirm his avatar picture by July 1st!
Re: (Score:2)
I can't answer your specific question (I am mostly ignorant of PHP), but perhaps I can be of help with the broader issue of helping people learn about secure coding practices.
One of the basic principles of secure coding is to validate user input to ensure it is what you expect. If you are checking the image size and MIME type you are headed in the right direction. Whether you've gone sufficiently far, I'll leave to PHP experts.
To get started learning more, you can do worse than the OWASP Top 10 [googlecode.com] (PDF) -- ski
Re: (Score:2)
For gods sake, don't include() it to send it to the browser, because it could be a valid image with in an EXIF tag.
Re: (Score:2)
store them somewhere outside the web root and use readfile('../path/to/file.png') to display them
If one's budget shared hosting plan forbids writing outside the web root, is it generally safe to store them in a .htaccess-restricted folder provided that the filename has been cleansed of path separators?
Re: (Score:3)
The htaccess restriction is important to prevent one of the other leading causes of PHP vulnerability: Allowing someone to upload a valid jpeg with a .php file extension in an image field and not checking the file extension before putting it somewhere someone can request <img src="profilepics/pwnme.php"> from the server. In fact, don't try to cleanse the filename. Just a
Re:Every language is unsafe. (Score:5, Insightful)
Every language is unsafe, but some almost try to be as unsafe as possible.
For example, the oldest (and until fairly recently, only) way of handling database queries in PHP pretty much asks for you to be vulnerable to SQL injection attacks, because there's no parameterization so all you can do is awkwardly run a hodgepodge of escaping functions and hope they work. By contrast, Perl, Java, Python, and C# all provide support for parameterizing queries in their standard approaches to handling database queries about 10 years before PHP did. That's the kind of thing that gives PHP its bad reputation.
Re:Every language is unsafe. (Score:4, Informative)
For example, the oldest (and until fairly recently, only) way of handling database queries in PHP pretty much asks for you to be vulnerable to SQL injection attacks, because there's no parameterization so all you can do is awkwardly run a hodgepodge of escaping functions and hope they work. By contrast, Perl, Java, Python, and C# all provide support for parameterizing queries in their standard approaches to handling database queries about 10 years before PHP did. That's the kind of thing that gives PHP its bad reputation.
Depends on your definition of "fairly recently." PDO was available as an extension for PHP 5.0 (2004) and was included in the standard installation for PHP 5.1 (2005). There hasn't been any excuse not to be using it for at least 5 years.
Re: (Score:2)
Re: (Score:2)
So, you're saying that idiots that couldn't code ASP can't code PHP. Color me suprised then.
ASP (or better ADO) has provided prepared statements [microsoft.com] for a long time. Not using them is not ASP's fault.
Create a stored procedure and swap
in that snippet for
and you're even better.
Re: (Score:2)
This goes for web languages in general.
Pointers are too hard :(
Drop-through logic made easy:
if (x < 100) { do_stuff(); } elseif (x > 100) {do_other_stuff();}
mind the gap
Re: (Score:2)
How about "incompetent"?
If programming were a profession, or even a trade--in other words, required registration with a standards and ethics focused organization--not validating user input in production code would be grounds for a professional misconduct charge and/or dismissal.
Re: (Score:2)
Here's a fun one: search for PHP mysql_query code [github.com] and glory at all of the input sanitizing they do.
e-commerce plugins vulnerable (Score:4, Interesting)
Re:e-commerce plugins vulnerable (Score:4, Interesting)
<sarcasm>Why pay money up front for security you might never need? It's better to wait until something does happen, like millions of credit card nubmers are stolen, and give the money to the PR people to clean up the mess. It's way cheaper if the gamble pays off.</sarcasm>
Re: (Score:2)
These are developers who, when faced with the problem of how to build an e-commerce site, think "I know, I'll use my favourite blogging software". Assuming they can tie their shoelaces is a stretch, let alone thinking about security.
Right about now, somebody is champing at the bit to reply saying that Wordpress has outgrown its blogging roots and is now a proper CMS. I invite anybody tempted to believe that nonsense to look
Re: (Score:3)
Let's keep the tree green (Score:3)
Re: (Score:3)
I don't know about "should be required", who's going to require them, Congress? DOJ?
However the smarter ones do just what you described, out of their own self interest. My hosting company contacted me once about a vulnerable Mambo extension they found.
Re: (Score:3)
Congress, say.
And of course 'instantly' would be too gestapo for real life. We'd really want a grace period with escalating warnings, followed by fines, followed by pulling-the-plug.
And it'd be much better if industry came up with this on its own first. What's the state of the art?
Rackspace talks about security,
http://www.rackspace.com/managed_hosting/services/security/ [rackspace.com]
but doesn't seem to offer proactive vulnerability scanning, and if they did, they would charge for it instead of just doing it.
Godaddy s
Re: (Score:2, Insightful)
The solution is easy: hosting providers should be required
The solution is authoritarian.
Ooh, scary Open Source, look at the nasties (Score:5, Insightful)
Great, Dice posts story from a corporate-software-industrial-complex advertorial mag, with a link to their so-called blog. Which ironically is running WordPress, along with a bunch of common plugins like "Yoast WordPress SEO plugin v1.4.7" and "All in One SEO Pack 1.6.14.6". Right there tells me how clueless they are about WordPress, because unless you have a damn good special reason, you do not want to be running two separate SEO plugins. LeadGen contact form plugin, a bunch of ad and analytics beyond the usual, and no apparent caching plugin. Oh, and no Google Authorship id done the correct way, despite both of those SEO plugins having "fill in the blank" prompting for it (they do have an XFN tag on their contact info but don't do the full Google social.)
For more laughs, their verison of All-In-One SEO is downlevel. Exactly what Checkmarx themselfes warn agansit. They are on 1.6.14.6, current version is 2.0.2. [wordpress.org]
Yeah, I'm gonna listen to them about WordPress security.
When you click through their blog to the actual PDF report [checkmarx.com], guess what? They redacted the names of all those "at-risk" plugins, noting only 6 by name. Four of which they claim took their advice and fixed the problem, and two (WP Super Cache and W3 Total Cache) which I recall getting fixes for months ago. Hot news. I guess that even though their supposed expertise is in scanning for vulnerabilities, they are not going to tell you which are at risk in the current environment, because you didn't pay them. Classic dipstick move. Total and utter unawareness of the karmic and $$ benefits of internet "gift culture", such as, the whole damn open source movement and the specific WordPress ecosystem in which they are supposedly expert.
But we should listen to them, because: Checkmarx was recognized by Gartner as sole visionary in their latest SAST magic quadrant and as
Cool vendor in application security.
Re: (Score:2)
But we should listen to them, because: Checkmarx was recognized by Gartner as sole visionary in their latest SAST magic quadrant and as
Cool vendor in application security.
Visionary just means they paid Gartner. The Cool vendor means they took 'em to a brothel as well.
Okay I'm joking. Still... the fact they were whoring out "pattern based stragegy" (you had to pay to use the term) not long ago leaves me wondering.
Wordpress should die (Score:2)
People complain about IE6 or Flash or Java, but every web developer I know ABHORS WordPress.
The moment a company decides to use Wordpress as their underlying site "technology", its game over. This was supposed to be a product that allowed people at home to set up a content site quickly, not an enterprise level technology.
So if this thing is causing significant security issues, it should be placed at the top of the Internet's most hated and avoided like the plague.
If you want to blog online, use Facebook or
Re: (Score:2)
nobody sets up their own blog anymore, that is so early 21st century.
Shit, is it mid-century already? Where the hell does the time go?
Re: (Score:2)
If you want to blog online, use Facebook or Twitter or any other established social platform
Maybe I don't want the advertising that goes with a platform like that, or the space limitations, or the way they assert copyright on the stuff I create, or maybe the WP blog is just a front-end for a domain name that's primarily there for e-mail, or...? There's a lot of reasons to run something like WordPress, and social media as you suggest is not a fix-all substitution.
Besides, it's not like Facebook and Twitter have never been hacked... they're big juicy targets with the number of users they have and th
Re: (Score:2)
The moment a company decides to use Wordpress as their underlying site "technology", its game over.
Like CNN, NYTimes ... ?
This was supposed to be a product that allowed people at home to set up a content site quickly, not an enterprise level technology.
Actually originally and for a long time, it was a blogging platform ... for people who write blogs. Not really for housewifes and the like.
So if this thing is causing significant security issues, it should be placed at the top of the Internet's most hated and avoided like the plague.
"if" ? If your aunt had a dick she'd be your uncle.
Re: (Score:2)
Hi there. I'm a web developer. Nice to meet you. There, now you know a web developer who likes (and extensively uses) WordPress
WordPress was originally designed as a blogging platform for
Re: (Score:2)
Replying to my own comment, but after writing that, I did a quick search and found this plugin: BulletProof Security
http://wordpress.org/plugins/bulletproof-security/
It claims to protec
Anybody audit CPAN lately? (Score:2)
Never use a module if you can possibly avoid it, and keep everything you use patched up to date.
That way you'll be as safe as you can be - because you'll only be using modules you aren't actually capable of writing yourself.
Pulling in a dozen wordpress plugins (or a dozen CPAN modules, or the Ruby or Python equivalents) so you can avoid learning how to unpack a trivial format is the road to software maintenance hell...
Re: (Score:2)
That way you'll be as safe as you can be - because you'll only be using modules you aren't actually capable of writing yourself.
Because one set of eyes always catches more bugs than thousands?
Just use Foo:Bar qw(enBlob unBlob) to limit your surface.
Which Ones?!?! (Score:5, Insightful)
+1 Insightful (Score:2)
Re: (Score:2)
Giving useful infos would require having useful info, giving a shit, and having a mind to do it with. This way, the author gets web views, gets rep, gives a company name or two to establish bona fides, without really having to do anything. I might presume that asking the people who did the study might get you useful infos - perhaps even at a discount. Or maybe the relevant info is only for those in the know, not just casually anyone with a Word-Press powered site.
Further if one is getting these plugins f
Re: (Score:1)
Oh no! (Score:2)
Is this news, or just the general state of things? (Score:2)
It seems like I read a version of this article about once a month. Seems like Wordpress is always not-too-far-away from some amazing catastrophe that will cause Western civilization to collapse.
I have been looking around for a new blog platform in order to redo my personal website, which is an aging Joomla 1.x system (and actually works fine, thank you very much, I just wish the URLs weren't so awkward). As far as I can tell, the entire rest of the world abandoned everything other than Wordpress, but actu
Re: (Score:2)
I had a look at Concrete [concrete5.org], but to be honest it's the ubiquity of Wordpress that appeals to me. I avoid plugins wherever possible, and the ones I do use are mainly on the admin and content creation side rather than presentation of content.
The popularity of it means that I can quickly find answers and code snippets when I want to do something, and I feel I have the experience to sort good suggestions from bad.
Wordpress is crap (Score:2)
The wordpress phenomenon never ceases to amaze me. I know it's nothing special, cause there's probably tons of crap in proprietary closed-source software th
Re: (Score:1)
and anyone who uses it is seen as a complete joke by actual web developers like me.
So just like how you web monkeys... err... "developers" appear to programmers.
Re:In case you were wondering... (Score:4, Funny)
Re: (Score:3)
From where does one get a degree in .NET?
Re: (Score:1)
ohhhhh that's right, my second degree is in software programming with .NET and ASP
I believe the GP rests his/her case.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Funny)
...morons who don't know HTML or CSS even though I could teach both to a moderately intelligent monkey... ...actual web developers like me... ...beyond all hope. / . I think...
br
Yes, your mastery of HTML and websites is truly something to behold.
Re: (Score:3)
Re: (Score:2)
ASP is "offline" programming? Since when?
Re: (Score:2)
He won that degree from a claw game.
Re: (Score:2)
Re:In case you were wondering... (Score:5, Insightful)
It's 2013, most people (at least in developed countries with high IT penetration) have their own domain and website nowadays. Do you really think it's fair to call a 50 year old woman who wants a nice website for her cat-blog a moron? Or the coin collector who don't care about computing but just want to write about English hammered coins? Or the fishing club whose members wants a nice looking site with a gallery and perhaps a public calendar? Or the girlfriend who wants to blog about cooking? Are they all morons?
Websites are not just for companies or IT-people anymore.
Also, Wordpress is way way better than it used to be a few years ago (unlike Joomla which is a total fail in every version). Since 3.5.1 was released, I've seen more customers hacked due to brute force logins than security exploits in outdated themes or plugins.
Re: (Score:2)
A few years ago I hated Wordpress. At that time the project I was on chose MovableType for the basis of its CMS/blogging platform. Well recently I was asked to put the backend into place for another company that was producing content. We looked at several options, but Wordpress was the one that as we checked off the list of required features had basically what we were looking for item for item. And frankly I've been rather impressed with Wordpress this go around. Many of the complaints I had from a few
Re: (Score:2)
Do you really think it's fair to call a 50 year old woman who wants a nice website for her cat-blog a moron?
Yes, if she expects to take on the role of webmaster and developer, with zero technical experience. I absolutely call that a moron. It's the equivalent of that same lady trying to build a kit car, which then loses a wheel and explodes rolling out of the driveway.
The right thing for her to do is find a qualified individual or company to create the site
Re: (Score:3)
HTML is dogshit. CSS is catshit. Together they make two-tone shitty shit with a shit chaser.
Re: (Score:2)
... of javashit ... er, I mean, javascript.
Re: (Score:2)
Do these unqualified people know how to use line break tag?
Re: (Score:2)
I'm sure they notified the plugin authors, just keep your plugins updated. Their PDF report has a description of the plugins (including lines of code and downloads), but blacks out the title.
Re: (Score:3)
Well, the problem is some of the more intelligent crackers out there have been upping their game recently...they have, if memory serves me correctly, found ways of getting websites to arbitrarily become a part of botnets. That's right, it's no longer just a matter of your website's database being compromised, with your liability ending with a broadcasted message to everyone telling them to change their passwords / check their credit cards...now your website, or rather the host machine that the website is ru
Re: (Score:3)
Welcome to reality. Some people believe that the best way to 'get through life' is by being at the top of things...you may not know how to do anything, but you know how to pull the cord that does something. Some people believe that the best way to 'get through life' is by being the best you can be at something, even if you are terri-bad at everything else. Some people believe that the best way to 'get through life' is by being the best you can be at several somethings, even if you are not the absolute best.
Re: (Score:2)
No, they're probably not serious about making money with the internet. They want to make money doing their core business and feel they need an internet presence to market it. I'd agree if selling online is a priority, Wordpress is not the way to go, but for a mostly brochure style site with a blog, it's fine.
I know someone who makes good money building Wordpress sites for small customers, and I've used it for a couple of personal sites and a small business site for a friend. It's not ideal, but it's relativ