I suppose it’s not terribly surprising that WordPress are bad at security

Fact: If you try to leave a comment on a wordpress.com blog with an email address you have registered to a wordpress.com account, it will ask you to sign in.

Fact 2: wordpress.com allows you to have custom domains (I think this might be a paid feature, not that that matters).

Fact 3: If you combine the previous two facts, WordPress asks you to log in on the custom domain you are currently trying to leave a comment on.

Yes, that’s right. WordPress is asking you to put your account password into a third party domain simply on the strength of it telling you that it’s a wordpress.com blog, honest for reals.

But I guess it’s OK. There’s totally a WordPress icon on the page where it asks you to log in, and there’s no way anyone could fake that.

2 thoughts on “I suppose it’s not terribly surprising that WordPress are bad at security”

Rich June 27, 2013 at 10:21 am

Practically every phishing email I get has “/wp-content/” in the “click here” URL.
Rich June 27, 2013 at 2:48 pm

“wordpress is an unauthenticated remote shell that, as a useful side feature, also contains a blog”

Comments are closed.