David R. MacIver's Blog: I suppose it's not terribly surprising that Wordpress are bad at security

I suppose it's not terribly surprising that Wordpress are bad at security

27 June 2013

Fact: If you try to leave a comment on a wordpress.com blog with an email address you have registered to a wordpress.com account, it will ask you to sign in.

Fact 2: wordpress.com allows you to have custom domains (I think this might be a paid feature, not that that matters).

Fact 3: If you combine the previous two facts, Wordpress asks you to log in on the custom domain you are currently trying to leave a comment on.

Yes, that’s right. Wordpress is asking you to put your account password into a third party domain simply on the strength of it telling you that it’s a wordpress.com blog, honest for reals.

But I guess it’s OK. There’s totally a Wordpress icon on the page where it asks you to log in, and there’s no way anyone could fake that.

Comments

Rich on 2013-06-27 10:21:37:

Practically every phishing email I get has “/wp-content/” in the “click here” URL.

Rich on 2013-06-27 14:48:28:

“wordpress is an unauthenticated remote shell that, as a useful side feature, also contains a blog”