Welcome to WebmasterWorld Guest from 54.144.84.155

Forum Moderators: rogerd & travelin cat

Featured Home Page Discussion

WordPress Vulnerability Affects All Versions

     
3:32 pm on Feb 8, 2018 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:25052
votes: 661


Reports of a DDoS vulnerability of all versions of WordPress have surfaced, and, according to reports, it remains unpatched. "The vulnerability resides in the way "load-scripts.php," a built-in script in WordPress CMS, processes user-defined requests."

[thehackernews.com...]

There is a WordPress V4.9.4 maintenance release now available, but it's not clear to me if this vulnerability has been resolved. Either way, it's worth ensuring you've updated.
[wordpress.org...]
4:09 pm on Feb 8, 2018 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:3565
votes: 197


Not to sideline the main topic, but WordPress V4.9.4 will require a manual update, even for those whose versions have been set to auto-update because WordPress V4.9.3 accidentally disabled the auto-update function in WP (available since V3.7 four years ago). It will cause the auto-update function to fail. Several WP sites that I maintain just auto-updated to V4.9.3 a few days ago and now require manual intervention.

Important to know because many WP users have relied on the automatic updates for years now.
4:15 pm on Feb 8, 2018 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:25052
votes: 661


Yes, I meant to mention that, too. Thanks.
4:21 pm on Feb 8, 2018 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:3565
votes: 197


I see that a patch ( a bash script) was released today. The link is in the hackernews article.

I am hoping that a new WP version to address it will be available shortly as the majority of WP consumers won't have any idea about the problem or the fix even after reading the article.
4:53 pm on Feb 8, 2018 (gmt 0)

Full Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 219
votes: 15


Damn, just did the 4.9.3 update yesterday. WP needs to do better, as it is so prone to hacking. I usually wait a couple of days before pushing a patch, just in case they screwed it up.
9:47 pm on Feb 8, 2018 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10654
votes: 631


Oh great, now I'll be seeing all those probes in my logs.
7:51 pm on Feb 9, 2018 (gmt 0)

Moderator

WebmasterWorld Administrator webwork is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:June 2, 2003
posts:7963
votes: 56


The wake up call is to do the manual update NOW. If you don't then auto-updates won't work and that's exactly the function you NEED TO WORK to have security updates load . . automatically.
8:01 pm on Feb 9, 2018 (gmt 0)

Full Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 219
votes: 15


This is a dos attack method. Worst case is you lose traffic. They are not breaking into your site, messing around with your data and database, replacing content with their crap. Also no cross site scripting risk. Still you should update. It is rare for Wordpress to publish this level of risk.
2:45 pm on Feb 18, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 26, 2003
posts:1335
votes: 12


I use wordfence plugin (Free) and it seems to do a fantastic job keeping way most wp attackers. I would think this DDoS attack is easily stopped by its waf rules
4:34 pm on Feb 18, 2018 (gmt 0)

Full Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 219
votes: 15


You would not know if it did. Wordfence protects WP. This is a DDOS attack. Your viewers would be denied access to your site but your install would be intact.
6:12 pm on Feb 18, 2018 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:3565
votes: 197


TorontoBoy is right, the wordfence plugin protects WP from some kinds of attack, but plugins do not protect your server/host. DDOS is an attack on the server's resources.
9:55 pm on Feb 19, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 26, 2003
posts:1335
votes: 12



You would not know if it did. Wordfence protects WP. This is a DDOS attack. Your viewers would be denied access to your site but your install would be intact.


Wordfence puts a WAF in your frontdoor essentially. The beauty of wordfence is that if a wordfence site is DDoS'd the signals are used to defend other wordfence sites and there are ways you could restrict/throttle connections by IP as well.. it's not the best WAF, but it can defend against this to some degree

Some caching systems probably replace this with their own custom filters as well
3:59 pm on Feb 20, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 26, 2003
posts:1335
votes: 12



You would not know if it did. Wordfence protects WP. This is a DDOS attack. Your viewers would be denied access to your site but your install would be intact.


This is a DDoS attack by causing server load issues by re-loading JS components. It's not a remote ping, but a server load issue - more of a fork bomb but instead of forking from a shell, its causing your http server to strain. Wordfence can collect attack vectors and distribute blocks across its network for machines that seem to be the source of this attack.