Latest news of the domain name industry

Recent Posts

WordPress founder criticizes NSI’s security

Kevin Murphy, April 13, 2010, Domain Registrars

WordPress founder Matt Mullenweg had a few harsh words for top-five domain registrar Network Solutions today, after a whole bunch of NSI-hosted blogs were hacked over the weekend.

It appears that NSI’s web hosting operation, which includes a one-click WordPress installation service, was failing to adequately secure database passwords on shared servers.

Or, as Mullenweg blogged: “A web host had a crappy server configuration that allowed people on the same box to read each others’ configuration files.”

WordPress, by necessity, stores its database passwords as plaintext in a script called wp-config.php, which is supposed to be readable only by the web server.

If the contents of that file are viewable by others, a malicious user could inject whatever content they like into the database – anything from correcting a typo in a blog post to deleting the entire site.

That appears to be what happened here: for some reason, the config files of WordPress blogs hosted at NSI gave read permissions to unauthorized people.

The cracker(s) who noticed this vulnerability chose to inject an HTML IFrame into the URL field of the WordPress database. This meant visitors to affected blogs were bounced to a malware site.

Mullenweg is evidently pissed that some news reports characterized the incident as a WordPress vulnerability, rather than an NSI vulnerability.

NSI appears to have corrected the problem, resetting its users’ database passwords as a precaution. Anybody making database calls in custom PHP, outside of the wp-config.php file, is going to have to go into their code to update their passwords manually.

China domain name registrations plummeting

The Chinese ccTLD has lost almost four million domain name registrations since it implemented Draconian identification requirements last December.

According to CNNIC, the .cn manager, there were 9.53 million domains registered at the end of February, compared to 12.28 million in January and 13.45 million in December.

That’s a loss of 3.9 million domains since the new registration requirements were introduced mid-December.

The bulk of the loss appears to have come from pure .cn names, which dropped from 8.61 million in December to 6.14 million in February.

The .com.cn namespace lost about half a million names over the same period. The rest of the drop-off came in lesser-used second-level domains such a .org.cn.

Since December 14, CNNIC has required all Chinese registrants to provide photo ID before they register a domain.

Recently, the registry has tried to enforce retroactive enforcement of this requirement, causing registrars including Go Daddy and Network Solutions to abandon the TLD altogether.