On Monday, Ars Technica published a piece with the headline “Reddit faces content quality concerns after its Great Mod Purge“. The story claimed that expertise was being lost on Reddit because moderators of some subreddits were removed for a protest they were involved in. It didn’t really back that claim up, though. Also, a new moderator for a home automation subreddit pushed back on the idea that moderators have expertise:

A moderator on Reddit is probably rarely an expert on the topic they’re moderating over. Instead, they’re a passionate member of the community that sees the value in sharing information between community members, and we’ll all work together to make sure someone doesn’t touch a live wire.

The WordPress subreddit, /r/wordpress/, didn’t have any of its moderators removed. As one recent post we looked in to shows, there is poor quality advice being given. That included advice coming from one of the moderators (not for the first time).

Recently, someone was looking for help with malicious code on their website and posted on the subreddit. Or more accurately, they thought there was malicious code on their website.

When we ran across that, they had received three responses in the couple of days since they had posted. One of those responses was promoting a “video of malware infected WordPress.” Another response claimed that the “site is very hacked” and that they needed “to get it cleaned up”.

bluesix

The responding moderator, bluesix, was (once again) promoting the Wordfence Security plugin, writing this:

Install Wordfence and run a scan

You appear to be using multiple abandoned plugins (bloom, thin-out-revisions, wp-seo-html-sitemap, and they’re just the 3 random ones I checked). Don’t do that – that’s a common malware attack vector.

Is your theme still being maintained and is it up to date?

“The comments in the code reference a plugin I have, so I deactivated it, but that didn’t stop it, at least not the first time. “ – once your site is breached, deactiving a plugin won’t do anything – you’re site is already infected. There will be more than one infected file in your instance that will be generating other infected files. You need to clean the site.

There are multiple issues with that.

Abandoned plugins are not a common malware vector. If plugins are not supported anymore, then if there is an exploitable vulnerability in it, there likely won’t be a fix (WordPress could provide those, but doesn’t almost ever). But it is common for well-supported plugins to have vulnerabilities that are widely exploited. This moderator frequently gives out bad advice on security. Some of which their own subsequent comments contradict.

This Isn’t Malicious Code

Here is the code in a .htaccess file that the original poster was claiming is malicious:

#Begin Really Simple Security
<Files *.php>
deny from all
</Files>
#End Really Simple Security

A .htaccess file is used to provide directory level configuration of the Apache HTTP server.

The first and last lines are comments that suggest that the code was generated by something called Really Simple Security.

The lines in between those comments restrict files with a .php file extension from being accessed. The poster said that the code was in the file /wp-content/uploads/.htaccess, so that would restrict an attacker who could somehow upload .php files to that directory (or its subdirectories) from being able to directly access them. If they could directly access them, then the malicious code in the files code be run without an additional issue.

That isn’t malicious code. It’s security code. So the three responses were all way off the mark.

One of the plugins the poster listed as having installed is Really Simple SSL. The latest version of that plugin contains code that would generate that. So that plugin should explain how it got in the file.

A Real Problem

Contrary to the three responses given, including the one from a moderator, there isn’t malicious code there. It does sound like there was a real problem, as they wrote this:

It blocks all images loading on the site. It was the only code written in the file. When I delete the file, the problem went away. But then, the file reappeared there, rewritten with the malicious code, and again the images would not load in a browser.

It’s unclear what would be causing that, but that shouldn’t be something caused by the code itself. What wouldn’t solve that is treating this as a malware issue, which it isn’t. But that is exactly what was done.

Moderator is Not the Expert

Another issue with the moderator’s comment is that they claimed that one of the plugins being used was abandoned. That received a response from someone more knowledgeable and follow up by them and someone else more knowledgeable.

Not Working Together

This isn’t the first time that we have run across inaccurate information when it comes to security on the WordPress subreddit. Last October we discussed a popular WordPress plugin being baselessly blamed for a hacked website.

The moderator we quoted from the Ars Technica story earlier mentioned that the community “all work together to make sure someone doesn’t touch a live wire”. In their case, they meant the live wire literally, but with WordPress security it is unfortunately far too often a metaphorical live wire that is being touched. What we have seen is that the moderators of the WordPress subreddit are actually working against improving security. The moderator we mentioned has repeatedly promoted a security plugin, Wordfence Security, despite claiming when confronted that it fails to provide security. It appears their focus is on getting upvotes instead of providing accurate advice, hence they responded here (and elsewhere) despite not having relevant knowledge.