[wp-hackers] wordpress security

[Otto]

On Mon, Oct 19, 2009 at 3:24 PM, Jeremy Clarke <jer at simianuprising.com> wrote:
> I'll point out that I, as well as a number of other people in this
> thread, have specifically stated that we ourselves would profit from
> this, so it's not an idealized notion, its a group of people who you
> just claimed don't exist while in conversation with them.

People on this list know about the mail notification plugin, and, I
presume, are smart enough to install it. They do not fit into the
categories that I described.

The question is not "what people need mail notification?". The
question is "why have it in core when it's in a plugin?". Somebody who
administers many sites is surely capable of finding a plugin and
installing the thing on those many sites.

> Okay so you
>
> a) dealt with people on the forums who noticed their blogs were hacked

Correction: Not only on the forums. I get around.

> b) noticed that they were all people who had seen the message.

Everybody I asked said that they had ignored it because of some reason
or another. The implication is that the message was seen, yes.

> Concluding that all the people who's blogs were hacked had seen the
> message from this is wrong. Many sites were and are silently hacked
> without the admin ever knowing about it.

A site that the admin has not visited in 2 months is, IMO, a dead
site. No new content, no readers, nobody caring for it...

Note that the yellow box displays to everybody registered on the site.
Not just admins. For those who are not admins, it tells them to alert
the admin to upgrade.

> I don't know the full details
> but if the recent wave of attacks was really a 'worm' then these
> abandoned blogs are a huge part of the problem.

It was not a "worm". People use these terms badly. It was a
straightforward automated hack script. Possibly run by a botnet,
though I doubt it.

-Otto
Sent from Memphis, TN, United States