I just cleaned up two of my WP sites from the "stealth virus." That's the virus which will live on inside of WP despite re-installs. It doesn't change any visible behavior on the WP Blog or control panel. It does change WP output on some RSS streams and, more importantly, it is happy to act as an DDOS bot via code that runs in WP.
It is my fault that I didn't more actively update the sites (they were at 2.7). But there is still more that can be done:
The point of this post is that I propose that WP should have more security in depth. As noted, this virus lives on despite WP upgrades. It does this by adding rogue entries to the dbms and hidden files in plugin directories.
WP should continue to try to keep out the malware. But in addition, it should assume that malware may get past the outer gates. WP needs additional defenses. Or at least detection schemes. I'm sure there are hundreds of sites that have the stealth virus and don't realize it. And they have no way to tell unless they're handy with sql or a dbms browser such as phpMyAdmin.
- The 'plugins' part of the dashboard should show all of the plugins that are being activated by the active_plugins entry in the dbms. If a "plugin" in the dbms does not match the usual plugin directory layout then the dashboard should make this clear to the user. It should also look for attempts to run hidden files.
- The wp updating and plugins mechanisms should be extended to include "bills of lading" that are cryptographically signed. The idea is that the act of installing or re-installing either a plugin or WP itself should be able to ensure that there are no added software programs in the directories.
- Do not show the WP version in default template outputs or to anyone who is not an admin. This should be the default! No plugin should be needed!
Either include mechanisms to check the check-sums of all the php files or make it easy to install other sw that does.
Of course, this sort of thing is not easy. But it is doable: the perl guys have done it for a while now in CPAN. PEAR may also include cryptographic signatures of packages, I don't know.
But otherwise, I'd say that WP's future is not as bright as it could be. With the speed of zero-day exploits, and the temptations of large numbers of WP sites that are not managed by IT experts, WP has become an attractive target.
Currently, admins don't even know that they've been hacked.