Over the weekend, reports surfaced of a seemingly widespread attack targeting older versions of the popular blogging software WordPress. The attack leaves WordPress installations severely compromised and appears to be part of a campaign to spread spam and malicious code.
Numerous bloggers found themselves victims. One of those bloggers was popular tech personality Robert Scoble. He claims that two months of his blog's content was lost and that his site was booted from Google's index because of malicious code that had been inserted (ouch).
Although Scoble has since cleaned up and taken action to defend against future attacks, he writes:
...the damage is done and I feel the same way when our childhood home was broken into. I don’t feel safe here, which might explain why I’ve been posting more over on a new Posterous blog I’ve setup.
It's easy to sympathize. But let's be clear: compromised WordPress blogs weren't exactly broken into. If these blogs are to be considered houses, their doors were left wide open for all to see. Scoble's blog, for instance, was compromised because he was running a 2.7.x version of WordPress for which there are known security vulnerabilities.
Scoble had refused to upgrade WordPress despite the fact that the latest WordPress release (2.8.4) was advertised as an important security release. Making matter's worse, Scoble didn't have any homeowner's insurance. That's right: he didn't have any backups.
Unfortunately, Scoble's blog was hardly the only one with the doors unlocked. A post on TechCrunch, for instance, repeated the warning that WordPress users should upgrade to the latest version. Yet as I write this, TechCrunch appears to be using an out-of-date version of WordPress MU. I'm not the first, of course, to point out the irony in popular tech blogs that are running on outdated software with known security vulnerabilities writing about outdated software with known security vulnerabilities.
Yet that hasn't stopped some, including Scoble, from insinuating that WordPress is partly to blame. WordPress head honcho Matt Mullenweg responded to the situation:
A stitch in time saves nine. Upgrading is a known quantity of work, and one that the WordPress community has tried its darndest to make as easy as possible with one-click upgrades. Fixing a hacked blog, on the other hand, is quite hard. Upgrading is taking your vitamins; fixing a hack is open heart surgery. (This is true of cost, as well.)
He noted that the latest two versions of WordPress were not vulnerable to this attack. He concluded by imploring WordPress users to upgrade:
We’ve already made upgrading core and plugins a one-click procedure. If we find something broken, we’ll release a fix. Please upgrade, it’s the only way we can help each other.
Before I go any further, I'll make my bias clear: I think WordPress is a great product and have a good dozen-plus websites running on it.
That said, no software is free from bugs and vulnerabilities. For all of its flaws and limitations, however, of which there are more than a few, WordPress is extremely popular because it does well what it was designed to do, is intuitive to use, is easy to extend, has a great developer community and doesn't cost a cent to license.
When it comes to security, unfortunately, the ease with which WordPress can be successfully installed, managed and used is a double-edged sword. It makes WordPress accessible to users who don't have the level of tech savvy (or competence) that one might reasonably suggest someone who is self hosting third party software have. And it can deceive users into believing that they can operate on cruise control. After all, WordPress works so well and is so pretty that it's hard to believe that serious vulnerabilities could be lurking under the surface.
The end result of this is a hacker's dream: widely-installed software often used by individuals who are either incapable of properly managing it or who never think anything bad could happen.
So what's anyone to do? If you're going to run third party software you had better:
Give up on the idea that inherently 'secure' software exists. While I'm sure there are interesting discussions to be had about WordPress and security, the bottom line is that nine times out of ten, hackers and scammers are much smarter and more dedicated than you. No matter what piece of software you're running, someone sufficiently motivated to hack it is probably going to.
Choose software wisely. It's easier to deal with security issues when you've thoroughly evaluated a piece of software and know what you're getting into. Does it have a history of security issues? What is the release cycle like? How complicated is the upgrade process?
Pay attention to new releases. When a new release becomes available, be sure to read the changelog to see if an upgrade is necessary or warranted. While it's generally a good idea not to fall too far behind, it's often okay to skip minor releases. When releases are prominently advertised as security releases, however, skip them at your own peril.
Look at security holistically. It's important to note that security doesn't start and end at the application level. In fact, some of the reports about the WordPress attack seem to hint that servers may have been compromised. Bottom line: no matter what software you're running, you should disable services/modules you're not using, double check file system permissions, use SFTP instead of FTP, employ a software-based firewall (at a minimum) and consider using non-standard port numbers for common services, amongst other things.
Back up. Doing everything right is no guarantee that won't be hacked. After all, zero-day exploits are increasingly common. So back up data regularly in case the worst happens.
Have a reliable techie on your side. Even if you're capable of installing and/or managing a software product on a day-to-day basis, you should have access to somebody who can help if you run into bigger technical challenges. In Scoble's case, for instance, he cited a fear of his WordPress plugins breaking as the reason he wasn't upgrading on a regular basis. But with some competent development support, resolving any plugin-related upgrade issues would certainly have been far less demanding than getting someone to clean up a hacked installation.
Today's internet isn't a safe place and you can't be naive or lazy when it comes to protecting yourself. Those who don't heed security best practices will eventually learn this the hard way regardless of which software they're using.