INSIGHTS, NEWS & DISCOVERIES
FROM IOACTIVE RESEARCHERS

Saturday, December 5, 2009

Volunteers to help cleanup Wordpress problems?

Whenever the blog is enabled, spammers are able to deface the mainpages index.html file replacing it with hundreds of spam links to software.

The only way we can stop it is to stop the blog. We've tried cleaning the blog up but they still get in somehow through Wordpress :(.

If you think you can help us, please email tech at flylogic.net

Thanks!

10 comments:

  1. I would love to help in any way possible, let me research a little and see what I come up with real quick... You all aren't hiring are you, I love this company!

    ReplyDelete
  2. Looks like versions 5 and above are secure but I'm sure there is a private hole somewhere:
    http://wordpress.org/development/2005/11/wordpress-is-secure/

    I ran across this OpenBSD blogging software that say they focus on security:
    http://trac.obfuscurity.com/blogsum/

    The OpenBSD route is probably the way I would go.

    ReplyDelete
  3. WordPress is too popular, it will always be targeted by hackers and spammers and vulnerabilities are out every month. I would use automatic updates, or at least more arcane blog software to at least stop auto-attacks (Slashcode, etc. there are thousands out there)

    ReplyDelete
  4. Hmmmm... Do WordPress provide a CAPTCHA plug in? (Or Open-ID?) If not, do any of you have the ability to code one yourself?

    Otherwise, it looks like Alfred says - a change of blog engine, or keep patching WordPress as soon as fixes come out.

    It would be awful to have to turn it off for good!

    ReplyDelete
  5. Wordpress is not terribly secure. Pretty much any other mainstream CMS performs better. The design of Wordpress makes writing secure code hard and they don't want to change this in the name of backwards compatibility.

    Some interesting discussion at http://blogsecurity.net/wordpress/interview-280607.

    ReplyDelete
  6. Change your password using a pc of somebody else. Your local pc might be compromised and sends passwords away to some hacker as soon as you use/change them...

    ReplyDelete
  7. Can you post the slides or a summary of your recent blackhat talk?

    ReplyDelete
  8. If your computer is compromised, you can try to use a virtual keyboard (providing there's a keylogger) without the need to reformat the machine.
    Wordpress is total crap in terms of security, but you can always try to see what happens with auto updates and adding one of the many captcha plugins available.
    If your blog is on a shared hosting, consider the possibility of the complete machine being rooted and in that case nothing will stop them.
    Consider moving to linode.com or slicehost.com (cheap but cool vps) and install your own system to have better security.

    Your work is amazing man ... I'll give anything to have in my brain just a 10% of what you know.

    Cheers from Argentina

    ReplyDelete
  9. Sorry I couldn't help here, but your site is fantastic, it can't stop now :-D

    We have much to learn with you.

    --
    We can forgive a man for making a useful thing as long as he does not
    admire it. The only excuse for making a useless thing is that one
    admires it intensely.
    --- Oscar Wilde

    ReplyDelete
  10. how about writing a custom blog in xml it shouldnt be to hard and im sure a few of us would volunteer to help write it. (i know i would help) then have a few people try to hack and see how good people's xml skills are lol. Im writing mine in xhtml right now but im gonna switch it over to xml when im done. im just not a fan of using cookie cutter programs and prefer to write from scratch
    sam

    ReplyDelete