When it comes to actually trying to improve the poor state of web security one of the big impediments are security journalists, who often act not as journalists, but as stenographers repeating claims made by security companies with little concern for their accuracy or actual significance. A case in point with that comes from  a post from ZDNet’s Zero Day blog (which at least in the past was run by people that didn’t even understand what a zero-day is), titled “Thousands of WordPress sites backdoored with malicious code”, which we got notified due to a Google alert we have set related to WordPress plugin vulnerabilities.

It is not clear exactly how many websites are running WordPress, but one figure put out by Forbes was 75 million, so thousands of websites running it being hacked seems less than significant. In fact there doesn’t really seem to be anything significant about what is being described in the post. The problem with covering things like that is that it gives an inaccurate picture of security of WordPress, since certainly many more than thousands of website not running WordPress are also hacked each month and this can cause people to choose less secure software to use on their website because of skewed coverage. There are also plenty of issues surrounding the security WordPress that could be covered instead of this type of thing, but journalists don’t seem to be interested in covering more significant issues.

What could have made this significant is if the cause of the websites being hacked was something that people wouldn’t already know about and it requiring needing to do something new to protect themselves, but that wasn’t the case:

Researchers believe intruders are gaining access to these sites not by exploiting flaws in the WordPress CMS itself, but vulnerabilities in outdated themes and plugins.

It seems like it would be better to covering why themes and plugins are not being updated and what can be done about that, than trying to make a story of a few websites being hacked.

The worst part of the post comes at the end:

Last week, ZDNet revealed that attackers had been scanning the Internet in an attempt to exploit a recent vulnerability in a popular WordPress plugin.

While Sucuri did not find confirm that this vulnerability was now being used in this recent wave of site hacks, the company did confirm our initial report, based on WordFence’s telemetry.

ZDNet claims to have revealed that on September 12. What they are supposed to have revealed is actually just repeating a claim from Defiant (aka Wordfence), that hackers were doing scanning for a vulnerable file related to the Duplicator plugin. The thing about this is that we discussed that was already being exploited on September 7, based on discussions that had occurred on the WordPress Support Forum the day before. We notified the author of both ZDNet’s posts about that on September 13, but they not only didn’t update the first post, but acted like their being behind on this was actually revealing something in the second one.

Looking at the original post there are a couple of things that stick out there as well, first is this:

Several researchers who did not want to share their names for this piece told ZDNet that they found the Duplicator plugin installed on several top Alexa sites.

What would the researchers name matter there? But more importantly the security issue isn’t in the plugin itself, but in a file generated by it, so that would be what would matter if it existed on the websites.

The other is that the person from Defiant that is quoted in the article is the “Director of Threat Intelligence”, that is quite a title for someone that is less informed than someone that simply has an email alert set for the WordPress Support Forum, which is how we knew that vulnerability was being exploited apparently while Defiant was still only at the point of noticing probing going on (they have history of being behind or worse when it comes to that sort of thing).