Comments on: The 1000 Blog Vulnerability Assessment

By: Peter

Peter — Thu, 18 Jun 2009 12:24:56 +0000

Keep up the good work guys, many of the rooted servers I have seen started with an old wordpress exploit providing the crack in the door.

By: Eric

Eric — Mon, 10 Mar 2008 11:12:28 +0000

@David,
That is not the spirit of the post. The main idea is that popular blogs do not run security checks or upgrades.

@Phil,
This is a great post and a great blog! :) Makes things very accessible for clients to read.

By: ø WordPress Version Survey | W-Shadow.com ø

ø WordPress Version Survey | W-Shadow.com ø — Sun, 09 Mar 2008 22:48:57 +0000

[...] Version Survey A while ago I saw the blog version survey at BlogSecurity.net and got an idea to do my own. The previous survey is more than 8 months old and [...]

By: David Kierznowski

David Kierznowski — Tue, 03 Jul 2007 13:35:32 +0000

Phil, the statistics do not include re-tests. The results are only on first tests.

I think your points about people who use wp-scanner will most likely be those interested in security… hopefully BlogSecurity will encourage others to follow. Nice points as usual Phil.

By: WordPress Scanner ergreift Schutz- maßnahmen für Blogbetreiber - alldev - Ein Webentwicklungs Blog

Sun, 01 Jul 2007 14:18:40 +0000

[...] zum Thema, eine aktuelle Statistik der letzten 1000 Wordpress Scanns. Die Ergebnisse, man achte auf die Versionen, sprechen wohl [...]

By: Philipp

Philipp — Sun, 01 Jul 2007 12:30:16 +0000

I would say that the real disaster isn’t this list or the result it displays, it’s just the peak of the iceberg in my eyes. As just persons let check their blogs, because they’re curious about their security and so found or followed a link to this website. Imaging how many people will be out there who don’t even think about security issues and therefore never will check their blog here. So I’m afraid that it’s in real quite more critical.

But another point does the scanner count just the number of calls or the unique addresses? Because I used it 2 times, to check my versions 2.2 and 2.2.1? I’m guessing you use the addresses as just these handle correct data for a diagram(No double entries).

Btw: Thank you David for your great work and for these real interesting posts. Keep up the good work!

By: David Kierznowski

David Kierznowski — Sun, 01 Jul 2007 08:08:00 +0000

pdp, from the plugin list, you can easily see which plugins an attacker may target first couldn’t you.. it was definately an interesting excercise.

By: pdp

pdp — Sun, 01 Jul 2007 06:38:13 +0000

I’ve been looking into these stats as well and to me it is quite scary to see how many people out there don’t even know about the security problems their blogs face today. Give the fact the blogs are medium for mass communication I believe that it is a quite important thing to secure them as much as possible.

Everyone, check usage number of exec_php! This plugin allows you to embed PHP code inside your posts. Although it may seem quite convenient, it is a big security problem. Given the fact that most blogs have XSS in one form or another, all attackers need to do is to trick the user into visiting a malicious page. Upon arrival the malicious JavaScript code will inject a PHP backdoor within some of the posts. After that, the attacker will be able to compromise the entire wordpress installation. This is not good.