Pwnt in 60 seconds.

Just opened the following happy little ticket with my dad’s webhost (and my former webhost).

My name’s Blake, I’m writing on behalf of my father W[nope], I’m a Linux systems administrator, just wanted to point out a few of the pitfalls with your WordPress 1 click install.

Since my sister asked for help installing the single most exploitable piece of software on the planet (which runs my own website), I at first lazily said “Let me do it” and tried to login to the install page as fast as possible. Well, as to be expected, bots had already hijacked the damn thing, okay.

I remove the folder, delete the database, create a new folder, and put an .htaccess file in only allowing my IP. Install fails because the folder is not empty.

Well shit. Okay. This time I start over just changing the permissions of the empty folder to 770 so anyone accessing the site will get forbidden. The one click install FIXED THE PERMISSIONS TO BE EXECUTABLE AGAIN.

Finally I had to just run the one click install, do watch ls and frantically rename the folder so I could secure it at my leisure.

Yes, I could have just manually installed WordPress, but I was just helping out and didn’t want to get stuck having to maintain this thing in the future. So the convenience of your automated service is nice.

Really, though, your one-click-install maybe shouldn’t thwart security practices when every bored basement python programmer is scraping wordpress sites.

My apologies for the crassness. Please forward this message to your infosec guy and have a laugh at my expense.

Leave a Reply