Security problems love company.

by Tom Davis

WordPress and Drupal share a security flaw. That's nice (or not)

We see an ongoing parade of security exploit announcements, and it will not stop anytime soon. What made this announcement unique is that it involves two of the most popular website frameworks: WordPress and Drupal. We use both of these systems to build websites.

We get emails from Drupal's security team when these things come up. This one is particularly evil because it does not require any special user requirement to exploit. Apparently anyone (or any bot) can set off a sequence that will shut down the site and possibly the server it is hosted from. Hosting companies are not going to like this. Perhaps that is why we got an email from GoDaddy as well. (GoDaddy is just one of our hosting providers.)

All the websites we manage are now protected against this threat, but I wonder how many of the 40 million WordPress sites will actually get updated. Obviously those websites hosted on hosting will get updated – that is the commercial hosting service by the Automattic, the original developers of WordPress.  Large, very active WordPress sites will get updated since they are highly managed and this update would just flow through the process. It is the millions of sites in the middle. These are small to medium companies where no one considered the long term maintenance of the codebase. Often these websites were built on low budgets by freelancers that are now long gone. I run across a fair amount of these sites, I can tell because they often have "spam hacks" in their page code.

It may be that this security problem is not that big of thing. What would change that is if someone decides to setup a bot to find exploitable sites and set off the exploit around the Web. This would force hosting companies to shut down sites being attacked in order to keep the other sites on their servers running. It would be interesting to see if anyone notices besides the hosting companies.

By the way, there will be plenty of unpatched Drupal sites. It is just that the scale of untended WordPress sites dwarfs everything else.