Comments on: SecurityFocus SQL Injection Bogus

By: Security and Hacking: The State of WordPress Blogs | The Blog Herald

Security and Hacking: The State of WordPress Blogs | The Blog Herald — Sat, 17 Jan 2009 04:39:59 +0000

[...] “SecurityFocus SQL Injection Bogus,” Matt Mullenweg talked about one false report: Online, apparently, it’s fine for someone [...]

By: nommo

nommo — Thu, 17 Jul 2008 16:03:08 +0000

A corporate blog that I ‘manage’ – running 2.5.1 had it’s entire table dropped last night. Looks like it was via wp-comments-post.php

I spent the day rebuilding.. you know what it’s like, you only find out how crap your backup is when you need to use it. Lessons have been learned.

By: Dan Guido

Dan Guido — Tue, 15 Jul 2008 15:27:30 +0000

> You can impress your friends by saying whether a security report is valid or not, so it’s a good critical facility to pick up.

Fail.

Don’t knock the bug report on securityfocus, you should be happy some kiddie was kind enough to leak a good bug in WordPress 2.5. If you took a few minutes to poke around in wp-comments-post.php then you might have found what RoMaNcYxHaCkEr did. Either way, upgrade to WP 2.6 now.

By: Zero Day mobile edition

Zero Day mobile edition — Tue, 15 Jul 2008 10:55:37 +0000

[...] If you manage a WordPress blog, this should be considered an important update. You should also pay close attention to Matt Mullenweg’s security recommendations. [...]

By: Pattern Recognition » Blog Archive » Interesting WP Spam Hack

Pattern Recognition » Blog Archive » Interesting WP Spam Hack — Mon, 14 Jul 2008 20:17:26 +0000

[...] but Joshua M. Neff told me it happened to him as well. In the comments there was a link to the wordpress developer’s blog about a similar issue…but not an identical issue. I don’t think this is necessarily a [...]

By: WordPress Security Prevention, Reactions, and Scares « Lorelle on WordPress

WordPress Security Prevention, Reactions, and Scares « Lorelle on WordPress — Mon, 28 Apr 2008 11:15:21 +0000

[...] Security Prevention, Reactions, and Scares Matt Mullenweg spoke out recently on the recent bogus “SecurityFocus SQL Injection” fear spreading across the web. There is a huge perception today that WordPress is a security risk. This [...]

By: WordPress Wednesday News: WordCamps Everywhere, Webware 100 Again, Plugins to Fix WordPress 2.5, Change Admin Colors, and More : The Blog Herald

Wed, 23 Apr 2008 23:50:38 +0000

[...] Security Prevention and Scares: Matt Mullenweg spoke out recently on the recent bogus “SecurityFocus SQL Injection” fear spreading across the web. He also offered some sensible tips and information for those worried [...]

By: Don’t Fall Behind « The Panegyrist

Don’t Fall Behind « The Panegyrist — Tue, 22 Apr 2008 06:30:37 +0000

[...] Mullenweg, the creator (or something like that) of WordPress, recently posted about the need to keep your copy of WordPress up-to-date: not to keep up with the latest features, though that’s certainly a good enough reason for [...]

By: Noticias de Bitacoras.com » Consejos para hacer tu blog más seguro

Noticias de Bitacoras.com » Consejos para hacer tu blog más seguro — Mon, 21 Apr 2008 13:03:44 +0000

[...] SecurityFocus SQL Injection Bogus [...]

By: Matt

Matt — Mon, 21 Apr 2008 00:33:01 +0000

Hone, you basically just described our VIP hosting:

http://wordpress.com/vip-hosting/

By: WordPress and Security | nickbohle.de

WordPress and Security | nickbohle.de — Sun, 20 Apr 2008 23:07:32 +0000

[...] Don’t hesitate to upgrade WordPress! Matt Mullenweg just wrote a great article about security and upgrading. [...]

By: Tranpalitu » Blog Archive » Seguridad en WordPress

Tranpalitu » Blog Archive » Seguridad en WordPress — Sun, 20 Apr 2008 20:51:38 +0000

[...] Las claves de la seguridad en WordPress son según Matthew Mullenweg: [...]

By: .neteffect, April 20, 2008 | BlogWell

.neteffect, April 20, 2008 | BlogWell — Sun, 20 Apr 2008 20:10:04 +0000

[...] SecurityFocus SQL injection bogus [...]

By: Trevor Davis | Blog | Weekly Link Round-Up #27

Trevor Davis | Blog | Weekly Link Round-Up #27 — Sun, 20 Apr 2008 03:14:22 +0000

[...] SecurityFocus SQL Injection Bogus [...]

By: Cómo hacer tu blog un poco más seguro » blogpocket 7.0

Cómo hacer tu blog un poco más seguro » blogpocket 7.0 — Sat, 19 Apr 2008 23:19:05 +0000

[...] Según cuenta Matthew Mullenweg en su blog, la versión 2.5 de WordPress no contiene vulnerabilidades, al hilo de un posible fallo de seguridad. En cualquier caso, el bueno de Matt nos aconseja adoptar tres medidas básicas para evitar disgustos: [...]

By: ???????????? ?????????

???????????? ????????? — Sat, 19 Apr 2008 20:22:03 +0000

[...] ??? ?????????? ???????????. ???? ?????, ????????? ?? ?? ?????? ??????????, ?? ??? ??? ??? ??? ???????? ????? ?????????????, ???? [...]

By: Hone

Hone — Sat, 19 Apr 2008 13:54:13 +0000

Matt, regarding SQL scalability etc, one service Automattic could offer on WordPress.com is a $100 – $200 per month paid service which is equivalent to a single dedicated server – then it good go up in price as usage increases.

Lots of folks who are basically publishers have a suck time when they need to move to a dedicated server once their WordPress blog gets to big.

I’d buy this service even if there was zero support. All I’d need would be the ability to load my own theme – maybe via svn, and also be in the wordpress.com network so people could easily make comments etc.

It would also be cool if you also offered hosted Mu. People always have the same problem once there blog gets too big. They’re smart enough to install it for a small user base but once you need multiple database servers etc it just becomes too much for your average punter.

By: ::: Manuele Lancia ::: » Blog Archive » Exploit per Wordpress 2.5

::: Manuele Lancia ::: » Blog Archive » Exploit per Wordpress 2.5 — Sat, 19 Apr 2008 13:33:32 +0000

[...] malevolo, rendendo così possibile la modifica del database. Va detto come il bollettino sia stato criticato da Matt Mullenweg per la sua mancanza di informazioni [...]

By: Bontb

Bontb — Fri, 18 Apr 2008 22:12:20 +0000

I was one of the victims well not for bontb.com but on hawaiib.com “which i removed now”

Read what I wrote
http://www.bontb.com/2008/03/wp-content1-trojan-virus-for-wordpress-bloggers/

By: Usayd

Usayd — Fri, 18 Apr 2008 21:07:46 +0000

Some good points raised matt, thanks.

I have to admit, it’s pretty hard to maintain a number of WordPress websites simultaneously and keep them up to date. It’s apparent that you guys are aware of this, but the obvious point is that it will take an upgrade to the version where this feature becomes available before one click upgrades will take place

By: Matt

Matt — Fri, 18 Apr 2008 15:18:59 +0000

Derek, as I mentioned in the post, this is a high priority for us.

By: Derek

Derek — Fri, 18 Apr 2008 12:59:03 +0000

I believe the best thing that could be done is to make an automatic upgrade function in the core. Just like the plugin page does now…there is a new version available, click to update automatically…why not have that functionality built into the “There is a new version of WordPress available…” link. Click the link and “blam” you are upgraded!

By: Richard

Richard — Fri, 18 Apr 2008 00:40:40 +0000

This is very cool and very helpful to WP bloggers. I have doing my best to follow the version upgrade. Also, I think the plugin – WP security scan is a good security enhancement to WP, no matter how perfect it does, but this approach. Thanks.

By: ryan

ryan — Thu, 17 Apr 2008 21:58:16 +0000

Matt I saw your video from the Word whatever thing in Texas. Blogger convention basically. You are a likeable enough chap and well intentioned I’d say so don’t read this as an attack.

I’ve gotta say, it’s almost as if WordPress is in a competition with phpBB for frequency and sheer number of vulns. We’ve got this sql injection issue and then we learn the salted passwords work great, but users aren’t being educated enough to change the random phrase. http://seclists.org/bugtraq/2008/Apr/0164.html

I like the functionality of WordPress and I like the features but can’t recommend it to non-techies who want a hands off blogging feature. The problem is the non-techies have their techie friend install it and then never look at it again.

What I’d like to see is a WordPress.com along the lines of Typepad, where we get a packaged deal that’s not crippled like WordPress.com is. You guys could have the fun of patching and keeping a decent number of plugins available and we’d happliy pay money and blog.

WordPress will have a black eye soon because of all the comment spam and splogs that are built with it. Much like including the WP logo on prior versions made people associate database connection issues with WordPress regardless of what the problem is. I see that went away in 2.5.

People used to complain about splogs on Blogger, there are still some, but most of them that I run across these days are on WP. Hell, someone sells a tool to make them.

This is a prediction from Matt Cutts in his blog for 2008
“2008 will be the year that hacking and search engine optimization (SEO) collide in a major way. By the end of the year, a nontrivial fraction of blackhat SEO will involve illegally hacking sites for links or landing pages. One webhost will get a significant black eye as hundreds or thousands of customers’ websites are hacked.”

I think this will turn out true, though it might be one product rather than one web host, or maybe the product that gives them the door is WordPress.

Food for thought. I’m still running 2.5 for a couple of my blogs.

Sleeping with one eye open,

Ryan

By: Uncle Che

Uncle Che — Thu, 17 Apr 2008 12:26:48 +0000

I think upgrading wordpress is as easy as we can imagine. I have instructed people who cannot even install a plugin and they have been able to do it. A plugin on wordpress.org named WP Automatic Upgrade has worked on 26 different blogs on 19 diffrent accounts which i have helped friends upgrade free of charge.

If you find someone who still can’t upgrade and you don’t have enough time to help, please send him/her to me.