Thursday, October 16, 2008 at 8:28 AM
Recently we've seen more websites get hacked because of various security holes. In order to help webmasters with this issue, we plan to run a test that will alert some webmasters if their content management system (CMS) or publishing platform looks like it might have a security hole or be hackable. This is a test, so we're starting out by alerting five to six thousand webmasters. We will be leaving messages for owners of potentially vulnerable sites in the Google Message Center that we provide as a free service as part of Webmaster Tools. If you manage a website but haven't signed up for Webmaster Tools, don't worry. The messages will be saved and if you sign up later on, you'll still be able to access any messages that Google has left for your site.One of the most popular pieces of software on the web is WordPress, so we're starting our test with a specific version (2.1.1) that is known to be vulnerable to exploits. If the test goes well, we may expand these messages to include other types of software on the web. The message that a webmaster will see in their Message Center if they run WordPress 2.1.1 will look like this:
Quick note from Matt: In general, it's a good idea to make sure that your webserver's software is up-to-date. For example, the current version of WordPress is 2.6.2; not only is that version more secure than previous versions, but it will also alert you when a new version of WordPress is available for downloading. If you run an older version of WordPress, I highly encourage you to upgrade to the latest version.
17 comments:
It would be nice if the messages were automatically forwarded to our associated GMail account, as we check that more frequently than the Dashboard messages.
I'm sure this feature will be appreciated by the people who need it, but for me, it's just one more reason why it's nice to be a Blogger
Are there any plans to add support for other platforms (like Drupal) as well?
How are you testing things like this? It's easy to spoof or remove the generator tag that wordpress inserts into the head.
Sometimes it's also not an easy process to upgrade a site from an older version of WP to a newer version, given the function changes and such.
What I'm asking is, are you testing the vulnerabilities, or just the self-identification?
I have protected older versions of WP by upgrading specific files or functions, implemented .htaccess controls, and the like, but NOT changed the generator tag. Would you consider that site to be vulnerable?
Excuse me, you changed my page without my knowledge or permission! I liked the way it worked - it was not broken and did nor require improvement. Now, it won't work!
Gee, your like that stupid paperclip on Word.....
As long as it's only reading the meta data I'm cool, but if it's actually checking for any exploits like a vulnerability scanner would it would get blocked by the firewall and then next thing you know I'm no longer ranking because Google can't find me..
I'm sure you guys realize this but just in case it slipped by..
I have to agree with Pat here. On Blogger, I do not have to worry about security fixes, as well as updates (as they host my content on their servers).
Although I do like WordPress, and have written upon it for over a year, I still prefer Blogger--even over WordPress.com (as I can embed any javascript/flash file that I want).
Hey all ... this blog post just makes me think if these bandits really sat down and planned a real honest business they would no doubt be some of the best webmasters online why this cloak and dagger dirty tricks beats me it must be harder doing what they do than doing a honest days work
All my best to you and your security
Phillip Skinner
Oh this is quite a news. As a owner of blog on blogspot, I have some more suggestions:
The security hole can be mainly because of various aspects:
1. Make sure your passwords are really secure and nobody can guess it at all.
2. Stop installing or running any program without enough trust.
3. Don't even think about signing up on various programs which exist there particularly to hack into your sites! Yea, it's a guess but there may be.
For instance, you sign up on a program, it asks you to install a piece of javascript code. Or perhaps run a software on your system And if you are actually running it when you are logged into your site, the software also gets access to the site. There is no firewall or antivirus to prevent its access. So, anything can happen!
So, just be alert and think of the various possibilities. Only act upon complete trust.
Lenin
That's nice for security.
link me up
http://lirgsecrets.blogspot.com/
http://ereus.blogspot.com/
There are some Wordpress plugins to make your site more secure. Also, using a non-default template may help. I also always remove the "powered by wordpress" from the template, as I think that this is asking for trouble!
I used Blogger for a couple of years before moving to Wordpress, just because of the security issues. But I do like Wordpress, lots more features. Shame it is not as easy to build a custom template!
tats nice info man..
G Ragu
I challenge Google to also test our WebAPP Open Source CMS. As far as we know, this is the only CMS using a MAC cookie.
Either way, I am afraid that Google could only alert webmasters of diverse mysql injections attempts, unless ofcourse you guys intend to hand Google your root password to the sever. Wordpress and the rest of those PHP CMS are all vulnerable to cookies poison as well as overflown attacks on server resources, which may let remote hackers accessing root user owner permissions withing certain folders.
My advice to you all is to avoid PHP, use Perl.
On
WebAPP CMS
For the love of God. My wife and I are suffering at the hand of hackers and google. Our site is no longer indexed by google because a hacker injected some sort of spam comment into our wordpress install and it has been months since we responded to the message sent to us (that we knew nothing about!) until i decided to check out this new webmaster toolset provided by google. we get NO hits at all now that google stopped indexing us and are suffereing tremendously. The message we receive is that it takes several months for google to even RECONSIDER US!!! it is obvious that google knows what was happening with wordpress yet they do this to hard working individuals like us? it is not fair and this God complex is scary. Can someone please reach us and help us expedite this? HELP!!!
How to increase valuable external links to mys site so would help my ranking.
I had the same problem, we are in beta testing of an awesome piece of software that will scan your whole site daily and tell you if malware, badware or a virus has been added to your site. Then it will email you so it can be fixed. www.hackersmart.com
The term ISO refers to the International Organization for Standardization. You may be curious about the difference between the names of the organization: International Organization for Standardization (http://www.iso.ch/infoe/intro.htm), and the …
Post a Comment