A few words about the RISKS of WordPress 1.2, 1.5, 2.0 or anything less than 2.0.4
Obscurity Through Verbosity
I wrote a lengthy reply to Michael explaining the risks to his blog. I’d like to share some of that with you. In fact, I want to share this with as many people as I can.
If you know of ANYONE that is still running an older version of WordPress, please refer them to this post They need to update their blog. If they haven’t upgraded yet, they simply don’t understand the risks involved. This post give them the risks - short and sweet - and also gives some specific details about one way your site could be attacked.
I’m going to be very frank in the rest of this post. I really hope this doesn’t bother too many people. I know it will bother some even though I’m not going to provide the exact implementation details of any attack. Some people will argue that just telling people it can be done is the same as providing source code, but I would remind those people of the release dates for the versions I’m talking about:
Version 1.2 May 22, 2004
Version 1.5 Feb 14, 2005
Version 2.0 December 26, 2005
It has been over a year since 2.0 was released. There has been sufficient time for people to update since then. Version 2.0.6 is a due out this month with 2.1 chasing at its heals. There is simply no excuse, but ignorance of the danger, not to have updated their site by now. And pleading ignorance isn’t gonna get your posts back.
Where WordPress Stands
I don’t know of any search that will tell me EXACTLY how many people are still running each version, but I’ve tried to come up with some estimates: (This section was rewritten in October and this post has been sitting in the draft folder for a while since then. If follow these links, you will have differring results.)
Version 1.2 - 74,600 Sites (down from 127,000 sites 3 month ago)
Version 1.5 - 679,000 Sites ( down from 1.1 million)
Version 2.0-2.0.2 - 24.5 million sites (up from 3.9 million)
This far out strips the “safer” versions: (Those after NONCEs were introduced.)
Version 2.0.3 - 0.744 million sites (up from 0.5 million)
Version 2.0.4 - 2.3 million sites (up from 0.5 million)
Version 2.0.5 - 0.877 million sites
The scary thing is how much the older releases have grown since I started tracking these numbers back at the end of July. There are 6 times the number of vulnerable sites now as there were in July. That’s the change in just over 3 months. (It is now December and I’ve not re-run the queries. I wonder if this trend continued…)
UPDATE:
Here are the numbers as of Dec. 12 2006
Version 1.2 - 52,500 down form 74,600 in two months
Version 1.5 - 515,000 down form 679,000 in two months
Version Version 2.0-2.0.2 - 1,160,000 down form 24.5 million sites - 1.16 million is still a lot, but this world is a LOT better…than Google painted it in October. Given the progression, perhaps they had an order of magnitude issue???
NOTE: These numbers might be high because of old and duplicate finds or they may just as easily be low because themes often remove the text I am looking for. We do know that as of the 2.0.5 release there were 1.2 million downloads from the main site. Many admins run dozens or hundreds of WordPress sites and there are other places to download the software. So, these figures might just be accurate.
[...] If you’re still not convinced, you should read this article (not yet published). By Brian, October 27, 2006, 11:17 pm o’clock [...]
Pingback by The Code Cave — October 27, 2006 @ 11:17 pm
im sorry — youre really long winded, and this isnt new content OR news. And maybe it’s just me, but you seem a little “full of yourself”.
Comment by bleh — December 11, 2006 @ 10:19 pm
Finally, the “long post”. I’m glad you found time to finish it.
Another aspect to the “hackers seek fame” bit: Of course, defacing the site on “pet rocks” doesn’t bring you fame. But defacing 24.5 million (or even only 10.000) sites on pet rocks and other assorted special interests in a single batch surely brings you fame as well. Doing a Google search for your leet-speak-hackername and getting millions of results for sites you “hacked” makes you a semi-god.
OK, now get this post to Digg, Slashdot, Gadgetopia etc.
Comment by Michael — December 12, 2006 @ 4:47 am
30 million vulnerable Wordpress sites…
I had a lengthy email conversation with Brian Layman a few months ago about security issues in Wordpress, and the need to motivate Wordpress users (who more often than not are laymen [no pun intended] themselves) to upgrade. Brian is a bit desillusione…
Trackback by technozid — December 12, 2006 @ 7:47 am
To Bleh: I do know what you mean. It is long winded, and that’s why it stayed in the draft folder for so long. It was originally going to be a very technical article describing five attacks I’d picked out. But as I wrote, I kept on thinking about my target audience and had to step back a little further and include more of the foundational knowlege. I’m not targetting the tech people. I’m not targeting those who have already upgraded. Most techies have already upgraded.
So, yes, it’s old news to us, but I’m reaching out to those who have had one or two years. I’m hoping I’ve correctly targeted this article to them. I can follow up on it with more technical stuff in days to come. I’m still talking about attacks on version 1.5 and 2.0 sites, but at least it will be a little more… is geekalicious a word? No… I don’t think it is….
Comment by Brian — December 12, 2006 @ 9:48 am