Let me tell you a story:
One upon a time poor lil PonySlaystation received a call. It was a nice guy who cried about his WordPress website had been hacked. So the clusterfuck began...

He gave me the login credentials for the hosting back-end, DB, FTP and CMS.
A hacked WP site was not new for me. It was probably the 6th of maybe 10 I had to do with.
What I didn't expect was the hosting back-end.
Imagine yourself back in 1999 when you tried to learn PHP and MySQL and all was so interesting and cool and you had infinite possibilities! Now forget all these great feelings and just take that ancient technology to 2018 and apply it to a PAID FUCKING HOSTING PROVIDER!
Wanna know what PHP version?
5.3.11, released the day before gomorrah was wiped.
The passwords? Stored in fucking plaintext. Shown right next to the table name and DB user name in the back-end. Same with FTP users.

I have to call Elon Musk and order some Boring Company Flame Throwers to get rid of this.

Long story long, I set up a new WP, changed all passwords and told the nice guy to get a decent hoster.

  • 9
    Low-key it's the #1 choice hoster of governments around the world :3
  • 4
    Almost had a heart attack 😅
    Does this mean 1=1 works on their system 🤔
  • 1
    @gitpush most likely... 😅
    I will do an internal presentation today about security in web applications and will use this as a bad example. If there's enough time before, I'll try a few basic attack types (no harm).
  • 2
    @PonySlaystation hahaha damn that's too bad
Add Comment