Tag Archives: WordPress

WordPress still insecure by design

Some major WordPress design flaws have led to widespread attacks on our and your servers. The only hope is reasonably long and strong passwords or WordPress security plugins.

The first flaw. By default WordPress have enabled “feature”, when you visit your blog with author query string appended, it nicely reveals your usernames. For example, if you have:


just add


and default WordPress installation redirects you to the:


In you need next valid username, change 1 to 2:


The second flaw. WordPress have two separate login error messages:

ERROR: Invalid username


ERROR: The password you entered for the username admin is incorrect.

So basically, you can check if particular username is valid.

The third flaw. Many users use .htaccess to secure the wp-admin directory, but WordPress coders decided to include public accessible script in the admin folder. So securing admin folder breaks your site in many ways. Of course you can write more advanced .htaccess rules, but it is not excuse for including public script in the admin folder.

Both front-end and back-end Ajax requests use admin-ajax.php

Forth flaw. Allow hackers to iterate hundreds of usernames/passwords in the single web request (system.multicall), and do it via public accessible script, that is not hidden behind wp-admin folder. Just brilliant! By the way, flaw is still not fixed, and even if you have not so popular site, you will still see your log files full of password guessing requests from different IP addresses: - - [13/Oct/2015:17:26:55 -0400] "POST /xmlrpc.php HTTP/1.0" 200 561 "-" "-"

Note, that IP is given as an example.

Read more about this system.multicall thing here: Brute Force Amplification Attacks Against WordPress XMLRPC

The fifth flow (and not the last). If you have some flaws / vulnerabilities, please share them in comments. Of course only publicly known ones. If you have newly discovered flaw, use proper disclosure channels.

Spammed by WordPress comment stealing bot with Facebook profile

Some time ago (1/2 year, may be 1 year) strange comments started to appear in our WordPress comment moderation queue. They all contained some random comments from random places, they all had the similar URL:
where XXXXXXXXXXXXXXX is profile ID, that is changing from one comment to another. I didn’t click on the fake profiles, do not have time to research who are behind this.

Today regular chunk of SPAM in moderation queue, again with fake Facebook profiles, again bypassed CAPTCHA somehow (Chinese clickers perhaps), but one particular comment grabbed my attention. It is comment from post about old tabled unboxing.
Here is a comment:

Author : Bagas (IP: ,
E-mail : rkleinschmidt@SOMETHING–HEALTH–related–WAS–here.org
URL : http://www.facebook.com/profile.php?id=XXXXXXXXXXXXXXX
Whois : http://whois.arin.net/rest/ip/
I buy few unit from amazon , at first i think the $199 is good deal , but actllauy this player is worst , the touch screen really slow and hard to scroll , and the app , i think all junk app , please consider don’t think $199 is a good deal , better u add another bucks for really goods item.

The strange thing is that this comment seems like absolutely legitimate user commenting on Archos tablet. Yes, touch screen is slow, there are junk apps, etc.

I did a quick Google search, and instantly found original site, where this comment was stolen:

It is blog post about Archos tablet. And comment is from “June 25, 2010 at 5:32 pm”. It is also running on the WordPress engine.

So the theory:

  • The Comment Stealing BOT (CSB) finds random WordPress blog;
  • CSB then finds some random posts;
  • CSB somehow searches the internet, using keywords from my blog post;
  • CSB finds some WordPress blog and grabs some random comments;
  • Sometimes it succeeds, and comment looks like real user post;
  • It tries to promote some Facebook pages;
  • If you are managing multiple blogs, you spot this pattern instantly.

Of course other WordPress users are noticing this too: