Comment by bilekas
7 months ago
> At my old employer, a bot discovered a wordpress vulnerability and inserted a malicious script into our server
I know it's slightly off topic, but it's just so amusing (edit: reassuring) to know I'm not the only one who, after 1 hour of setting up Wordpress there's a PHP shell magically deployed on my server.
>Take over a wordpress site for a customer
>Oh look 3 separate php shells with random strings as a name
Never less than 3, but always guaranteed.
Yes, never self host Wordpress if you value your sanity. Even if it’s not the first hour it will eventually happen when you forget a patch.
Hosting WordPress myself for 13 years now and have no problem :) Just follow standard security practices and don't install gazillion plugins.
There's a lot of essential functionality missing from WordPress, meaning you have to install plugins. Depending on what you need to do.
But it's such a bad platform that there really isn't any reason for anybody to use WordPress for anything. No matter your use case, there will be a better alternative to WordPress.
54 replies →
I have better things to do with my time so I happily pay someone else to host it for me.
Never use that junk if you value your sanity, I think you mean.
I once worked for a US state government agency and my coworker was the main admin of our WordPress based portal and it was crazy how much work it was to keep working.
Ditto to self-hosting wordpress works fine with standard hosting practices and not installing a bazillion random plugins.
I never hosted WP, but as soon as you have a HTTP server expose to the internet you will get request to /wp-login and such. It as become a good way to find bots also. If I see an IP requesting anything from a popular CMS, hop it goes in the iptables holes
Hey, I check /wp-admin sometimes when I see a website and it has a certain feel to it
I do the same. Great way to filter our security scanners.
Wordpress is indeed a nice backdoor, it even has CMS functionality built in.
>after 1 hour
I've used this teaching folks devops, here deploy your first hello world nginx server... huh what are those strange requests in the log?
There's ways that prevent it - - Freeze all code after an update through permissions - Don't make most directories writeable - Don't allow file uploads, or limit file uploads to media
There's a few plugins that do this, but vanilla WP is dangerous.