Support » Fixing WordPress » WMF Windows image Exploit

  • IF your WP files are writable AND you are on a shared server (as most of us are) then there is a risk that a file of yours could be linked to a site that, when your files load, tried to get you to download a WMF file.

    This is NOT a WP exploit or weakness.

    The link is also one that you really must not click.

    This happens because of the shared hosting environment and some idiot running a script that writes this junk into your files.
    If this happens on your blog you need to check your files for links that you did not place there. Typical places to look would be theme files though any file that is writable could be a problem.
    Also tell your webhost.

    As detailed:

Viewing 15 replies - 1 through 15 (of 18 total)
  • First point: don’t make anything writeable….

    Some hosts – the bad ones – make things BE writable to work….. if that is your host, MOVE.

    Um. And then there’s the “wp-content needs to be writeable….” situation….




    i second what vkaryl said – unfortunately, the same can be said for some webapps, like this one. it was enough of an issue with just recommending that the theme dirs be writable.

    THANK YOU. I thought myself alone in the grey dim dark….




    nope, and thats precisely why i will NOT be upgrading. I will not use software that requires me to be an exploit waiting to happen.

    I’ve got a couple of 2.0 installs (one an upgrade to the RCs, the other to a test bed 1.5.2), because I need to keep track of stuff (so hopefully I have a clue…. yeah right….)

    MY stuff stays on 1.5.2 until hell freezes over at this rate.

    Yep, it’s a bit scary to open up the wp-content directory for writing by anyone. It should suffice to grant writability to the web server ( and of cours the rightful owner ), but as I understand it, it’s not always possible with ISP solutions. I simply don’t know the user of the web server.
    I really like t have the WP 2.0 though, so – wll it’s more open than I like.

    It kind of depends on how your host sets up the shared servers – and whether apache is run under your username…. among other things.

    “more open than I like….” Scary. You don’t want to go there maybe….




    I remember wayyyyy back, I had a copy of Netscape Communicator (anyone reme that browser?). One of the nifty things was that it had an upload option within the browser (and no, it didnt use ftp://). Imagine that, you could actually upload with a browser.


    The implications of having an entire directory AND subdirectories World Writable are beyond the scope of one little topic here.

    I would hazard a guess that many first time WP users know very little about the risks they are taking with such a setup. They just follow instructions and wonder WTF went wrong in 2 monthes when their site is on zone-h.

    The simple fact is it’s glaringly irresponsible to set up users like that.

    (And yes, Ive been waiting patiently for this topic to be brought up here.)

    Heh. You could have emailed me a gentle nudge….

    There are altogether too many people out there right now setting up “wide open” software. Combined with the proliferation of “script kiddiedom”, it’s a time bomb.

    Well, whose bonehead idea was it to have wp-content writable? I’m sorry but that’s just . . . AARRGGHH!!!

    *takes deep breath*

    I hope whoever it is corrects this OBVIOUS mistake and SECURITY HOLE. geez. WP has been known in the past to be a quality ap. Unless this is fixed, it will certainly lose THAT rep.


    There’s really no excuse for making any portion of an app like this one “open writeable” (meaning you don’t in the developer’s POV “need” to repermit the write options once you’re done with them – hello? YOU ALWAYS NEED TO REPERMIT THE WRITE OPTIONS TO NON-WRITEABLE WHEN YOU’RE DONE WITH THEM). I’m pretty seriously unhappy with the whole thing, truth to say, and some “panacea” statements by the dev haven’t unruffled my feathers either…. not that anyone gives a rat’s ass.





    “A simple “index.php” inside /backup/ would’ve done the trick just as well, without loosening permissions on the entire /wp-content/ directory, but Matt’s the boss.”

    is what kills me. There were other ways.

Viewing 15 replies - 1 through 15 (of 18 total)
  • The topic ‘WMF Windows image Exploit’ is closed to new replies.