September 30th, 2008 • 10:40 am
Either I am desperately unlucky or WordPress has some pretty serious security issues.
You might remember that, a while ago, my site was hacked. That prompted me to update to the latest version of WordPress at the time, and to temporarily shut down the discussion features, including the ability for new users to register themselves (called “open registration” in WordPress parlance). I was able to restore the features after a few days, and then things went back to normal.
I would still get a number of “rogue” new user registrations, i.e. registrations not associated with real comments written and submitted by real, legitimate new people. My user registration page had a warning that new user registrations not associated with real comments would be deleted promptly, and I kept doing just that, and everything was more or less OK.
Yesterday, however, I noticed two new registrations with no associated comments.They didn’t even bother to pretend that they were real people: their user name or e-mail address even had the word “bot” in it.
Unfortunately, at least one of these two registrations came with a new and worrying twist: the new user had been able to give himself an administrator’s ranking, which meant that he was essentially able to make all kinds of changes to my blog!
As far as I can tell, the people behind this didn’t really have time to do anything before I deleted the user accounts in question. But this situation, for me, represents a new stage in the on-going struggle to keep my blog free from spam and other malicious attacks.
Now, I will readily admit that I have once again fallen a couple of versions behind the very latest WordPress build. I have WordPress 2.6, whereas the latest available stable build is 2.6.2. And it is possible, at least based on the information provided in this post, that 2.6.2 actually addresses the very vulnerability that I have just experienced. (The post does not mention what I experienced specifically, but does mention a vulnerability associated with open registration.)
But the truth is that I simply do not have the time or patience to continue to play this cat-and-mouse game with hackers and other malicious bots. I don’t have time to always keep track of the latest WordPress builds in the hopes that they will address security vulnerabilities that I was not aware of before hackers have a chance to exploit them. I do value my readers’ contributions, but not to the point that I can devote all this time and energy to just keeping the discussions features open.
(Part of the problem is that I still don’t have a true broadband Internet connection, which means that the whole WordPress upgrading process takes more than just a few minutes.)
The other option, of course, would be to switch to another content management system that does not suffer from WordPress’s chronic vulnerabilities. But again, at this point, I simply do not have time to even consider such a switch.
The far easier and more preferable option for me at this point is to simply switch off open registration. As far as I can tell, this will go a long way towards reducing the maintenance work required by WordPress.
What does this mean for legitimate Betalogue readers? For those of you who are already registered, there will be no difference. Registered users can continue to post comments without any problems. For new readers who wish to register in order to be able to post comments, however, I am afraid that they will have to go through the manual step of requesting a user registration from me by e-mail. From now on, I am the only one able to register new users.
In order to make sure that I only register legitimate users, I will require that new prospective users send me a request along with the text of the first comment that they want to submit. I will only register users who submit a legitimate and valuable comment on an existing post on my blog.
It is unfortunate that it has come down to this, but I really have no interest in becoming an on-line security expert. My interest is in writing blog posts about various topics other than blogging itself, and sometimes in having discussions with valuable interlocutors about these posts. I don’t have tens of thousands of users and I don’t get tons of valid new user registrations every day. So managing user registrations manually will not be a big problem for me. In fact, as far as I can tell, it will be much easier than continuing to use WordPress’s open registration feature.