Wordfence reports that hackers are widely attempting to exploit a vulnerability that they reported over three months ago. According to The Register:
Wordfence disclosed the flaw almost three months ago, and in a new advisory this week warned that criminals are increasing attacks — the WordPress security shop claims it blocked an average of 443,868 attack attempts per day on its customers’ sites.
The vulnerability is around “Modern WPBakery Page Builder Addon” which was formerly sold on the Envato marketplace. Its history is instructive. Someone made something and published it, then walked away. Some time later, a vulnerability was found. Then some time after that, Wordfence published an alert. There will never be a fix because the developer has abandoned the code. Hence there are all these zombie sites ripe for attack.
WordPress is the most over-criticized and under-criticized platform. Over-criticized because some people think that every WordPress installation can be trivially exploited, which isn’t true. Under-criticized because if you treat WP like a plugin smorgasbord, it’s easy to employ crappy third-party code that leaves you wide open. That’s what happened here.
The lesson is obvious: since you’re not going to do a line-by-line security analysis of your WP plugins, you should stick to plugins which are widely-used. Of course, the more popular a plugin is, the more it is targeted, so maybe what you really need is a security plugin…sigh.
Related Posts:
- I Can’t Believe I Bought So Many VPSes on Black Friday (How to Dig Yourself Out) - December 9, 2024
- Glitch Servers’ 30% Off Winter Sale is Now Live! - December 8, 2024
- Have You Missed Any of these LowEndBoxTV Videos? - December 7, 2024
Leave a Reply