Latest news of the domain name industry

Recent Posts

WordPress founder criticizes NSI’s security

Kevin Murphy, April 13, 2010, 22:47:58 (UTC), Domain Registrars

WordPress founder Matt Mullenweg had a few harsh words for top-five domain registrar Network Solutions today, after a whole bunch of NSI-hosted blogs were hacked over the weekend.

It appears that NSI’s web hosting operation, which includes a one-click WordPress installation service, was failing to adequately secure database passwords on shared servers.

Or, as Mullenweg blogged: “A web host had a crappy server configuration that allowed people on the same box to read each others’ configuration files.”

WordPress, by necessity, stores its database passwords as plaintext in a script called wp-config.php, which is supposed to be readable only by the web server.

If the contents of that file are viewable by others, a malicious user could inject whatever content they like into the database – anything from correcting a typo in a blog post to deleting the entire site.

That appears to be what happened here: for some reason, the config files of WordPress blogs hosted at NSI gave read permissions to unauthorized people.

The cracker(s) who noticed this vulnerability chose to inject an HTML IFrame into the URL field of the WordPress database. This meant visitors to affected blogs were bounced to a malware site.

Mullenweg is evidently pissed that some news reports characterized the incident as a WordPress vulnerability, rather than an NSI vulnerability.

NSI appears to have corrected the problem, resetting its users’ database passwords as a precaution. Anybody making database calls in custom PHP, outside of the wp-config.php file, is going to have to go into their code to update their passwords manually.

Tagged: , , , , ,

Comments (3)

  1. Wow, That is bad on NSI side since they are one of the “best supposedly. I do not see how you could configure the server wrong for a 1-click install when you have server techs that do that for you and are on call 24/7 usually. This should have not been a problem for NSI and I hold them responsible not WordPress, It was not wordpress problem that NSI didn’t configure the server right.

    Just my 2 1/2 cents.

  2. Anthony says:

    Randall,

    I think people get confused in thinking that because NSI was one of the first registrars, they are actually one of the best. In my opinion, they are not the best registrar, and I have never heard then mentioned in the running as a top web hosting firm, especially in the realm of WordPress hosting. Usually those accolades (top WordPress hosting firm) go to companies like HostGator, BlueHost, and Media Temple, and LunarPages.

Add Your Comment