Wikipedia was in read-only mode following mass admin account compromise

Posted by greyface- 10 hours ago

862 points | 297 commentspage 4

nixass 9 hours ago|

I can edit it

tantalor 9 hours ago||

"Закрываем проект" is Russian for "Closing the project"

j45 9 hours ago||

It's reassuring to know Wikipedia has these kinds of security mechanisms in place.

lynx97 6 hours ago||

Time to spend some of this excess money on a bit of security tightening? I hear we're talking about a 9 digit figure.

epicprogrammer 9 hours ago||

[flagged]

marginalia_nu 7 hours ago||

> [...] is incredibly insidious. It really exposes the foundational danger of [...]

My LLM sense is tingling.

amenhotep 5 hours ago|||

I opened his post history and scrolled down a bit and literally the first thing I saw was a comment starting with "You're absolutely right" lol

sefrost 7 hours ago|||

Yeah, it's like the really high-energy way it's written or something? Can't quite put my finger on it.

quantum_magpie 8 hours ago||

Could you point to where you found the details of the exploit? It’s not in the linked page. Really interested. Especially the part about modifying it and the other users propagating it?

homebrewer 8 hours ago||

The fact of this obvious LLM slop being at the top of this discussion is incredibly insidious. The "facts" it mentions are made up. Has this vapid style finally become so normalized that nobody is seeing it anymore?

256_ 8 hours ago|||

I didn't even notice it until you pointed it out, but I checked that account's comment history and it uses em dashes. Also, "the database history itself is the active distribution vector" Is just semantic nonsense.

I still have a basic assumption that if something I'm reading doesn't make much sense to me, I probably just don't understand it. Over the last few years I've had to get used to the new assumption that it's because I'm reading LLM output.

homebrewer 7 hours ago|||

I've also always used em-dashes, it's not a very reliable indicator. That style is a dead giveaway, though. Some of its comments seem to be written by a human, but several definitely aren't.

I've been spending less and less time here, the moderation is obviously overwhelmed and is losing the battle.

https://aphyr.com/posts/389-the-future-of-forums-is-lies-i-g...

jddj 7 hours ago||

The dead internet arrived slowly, then all at once

jibal 5 hours ago|||

It's not semantic nonsense, it's the truth per the incident reports ... go read the links that have been added up top.

infinitewars 8 hours ago||||

That user, epicprogrammer's comment history suggests alignment with the Musk/Thiel/Anduril/DoW/anti-Anthropic crowd who are incessantly trying to damage Wikipedia's reputation to push a "Grokipedia" where they can define the narrative.

I wouldn't be surprised if that group were the origin of this attack too.

JKCalhoun 8 hours ago||||

Perhaps we're at last watching the internet die.

NoMoreNicksLeft 7 hours ago||

Yes, but we did that over the last 15 years. We just never realized that's what we were seeing.

It only clicked for me a few weeks ago, in one thread or another here when I realized that no one could ever do what Google did once: Cloudflare and other antibot technologies have closed off traditional search-as-the-result-of-web-crawling permanently. It's not that no one will do it because they think there's no money in it, or that no one will do it because the upfront costs are gigantic... literally it can no longer be done.

The internet died.

Imustaskforhelp 7 hours ago||

There are still a few options. I recently had the idea of doing search engine queries on 9 search engines.

Mojeek is a good independent search browser, it isn't the best but at that Hackernews comment/analysis I was doing I found it to be the only one which worked for that case.

Brave exists too.

I know the situation is very critical/dire tho but there is still some chance. All be it quite small.

Mojeek IIRC, is operated by one single guy for 15 years.

jibal 5 hours ago|||

The facts are not made up--check the incident reports.

Most claims of LLM authorship are erroneous.

256_ 9 hours ago||

Here before someone says that it's because MediaWiki is written in PHP.

Dwedit 9 hours ago|

PHP is the language where "return flase" causes it to return true.

https://danielc7.medium.com/remote-code-execution-gaining-do...

m4tthumphrey 9 hours ago|||

Also the language that runs half of the web.

Also the language that has made me millions over my career with no degree.

Also the language that allows people to be up and running in seconds (with or without AI).

I could go on.

dspillett 9 hours ago|||

> Also the language that has made me millions over my career with no degree.

Well done.

> Also the language that allows people to be up and running in seconds (with or without AI).

People getting up and running without any opportunity to be taught about security concerns (even those as simple as the risks of inadequate input verification), especially considering the infamous inconsistency in PHP's APIs which can lead to significant foot-guns, is both a blessing and a curse… Essentially a pre-cursor to some of the crap that is starting to be published now via vibe-coding with little understanding.

jjice 9 hours ago||||

PHP is a fine language. It started my career. That said, it has a lot of baggage that can let you shoot yourself in the foot. Modern PHP is pretty awesome though.

radium3d 9 hours ago||

Pretty sure we've seen people coding in essentially every other programming language also shoot themselves in the foot.

Sohcahtoa82 8 hours ago|||

Every language has foot-guns of some sort. The difference is how easy it is to accidentally pull the trigger.

PHP makes it easy.

jjice 7 hours ago|||

Yeah of course PHP isn't the only programming language you can write bugs in. I don't think you can make it impossible to shoot yourself in the foot, but PHP gives you more opportunities than some other languages, especially with older PHP standard library functions.

One thing I particularly hate is when functions require calling another function afterwards to get any errors that happened, like `json_decode`. C has that problem too.

Problems don't make it a _bad_ programming language. All languages have problems. PHP just has more than some other languages.

ramon156 9 hours ago||||

The language is not what makes you nor the product. You could've written the same thing in RoR, PHP was just first and it's why it still exists

stackghost 8 hours ago||

PHP performance is significantly better than Ruby on Rails, which I think plays a part in its continued popularity.

onion2k 9 hours ago||||

Also the language that runs half of the web.

The bottom half.

;)

cwillu 8 hours ago||||

Try not to take criticisms of tools personally. Phillips head screws are shit for a great many applications, while simultaneously being involved in billions of dollars of economic activity, and being a driver that everyone has available.

ChrisMarshallNY 9 hours ago||||

I use it on the backends of my stuff.

Works great, but, like any tool, usage matters.

People who use tools badly, get bad results.

I've always found the "Fishtank Graph" to be relevant: https://w3techs.com/technologies/history_overview/programmin...

mannykannot 8 hours ago||

People who use tools badly inflict bad results on other people, quite often far more so than they do so on themselves.

ChrisMarshallNY 6 hours ago||

Yeah. It's funny how companies don't like to hire people that use tools correctly, but insist on creating tools that allow them to hire cheaper, less-qualified people.

PHP works fine, if you're a halfway decent programmer. Same with C++.

theamk 9 hours ago||||

Yep, that's the sad truth - a language popularity often has nothing to do with it's security properties. People will happily keep churning out insecure junk as long as it makes them millions, botnet and data compromises be damned.

radium3d 9 hours ago||||

PHP is insanely great, and very fast. The hate has no clout.

m4tthumphrey 7 hours ago||||

I can't edit nor be bothered to reply to all of the negative responses so I'll put it here.

Pretty much all of you missed the larger point. PHP was what allowed me to not work in retail forever, buy a forever house, never have to worry about losing my job (this may change in the future with AI) or being at risk for redundancy, having chosen to only work for small, "normal" well run profitable businesses.

Unless you're building a hyper scale product, it does the job perfectly. PHP itself is not a security issue; using it poorly is, and any language can be used poorly. PHP is still perfectly suitable for web dev, especially in 2026.

jasonjayr 8 hours ago|||

Perl still runs the other half?

420official 9 hours ago||||

FWIW this was fixed in 2020

dspillett 8 hours ago||

I've not used PHP in anger in well over a decade, but if the general environment out there is anything like it was back then there are likely a lot of people, mostly on cheap shared hosting arrangements, running PHP versions older than that and for the most part knowing no better.

That isn't the fault of the language of course, but a valid reason for some of the “ick” reaction some get when it is mentioned.

Joel_Mckay 6 hours ago||

PHP had its issues like every language, but also a minimal memory footprint, XML/SOAP parser, and several SQL database cursor options.

Most modern web languages like nodejs are far worse due to dependency rot, and poor REST design pattern implementations. =3

ale42 9 hours ago|||

Except that in a contemporary PHP that doesn't work any more.

  PHP Warning:  Uncaught Error: Undefined constant "flase" in php shell code:1

This means game over, the script stops there.

meetpaleltech 8 hours ago||

[dead]

pKropotkin 9 hours ago||

[flagged]

softskunk 9 hours ago|

care to elaborate?

yomismoaqui 9 hours ago||

If I had to guess it's the typical "people with power behaving like dicks".

pKropotkin 8 hours ago||

Absolutely. We know plenty of examples where these arseholes trash genuinely valuable contributions from volunteers just on a whim.

noobahoi 8 hours ago||

[flagged]

yabones 9 hours ago|

[flagged]

gadders 9 hours ago||

"The Wikimedia Foundation, which operates Wikipedia, reported a total revenue of $185.4 million for the 2023–2024 fiscal year (ending June 2024). The majority of this funding comes from individual donations, with additional income from investments and the Wikimedia Enterprise commercial API service."

(Unless this was satire and I missed it)

josefresco 9 hours ago|||

What's the operating budget for other websites with comparable traffic? Without context $185 million seems like a lot, but compared to what? Reddit's operating budget for the same timeframe was $1.86 billion.

gadders 9 hours ago||

I agree, but it's not a shoestring budget. They also seem to run a surplus every year:

The Wikimedia Foundation (WMF) maintains a significant financial surplus and a growing, healthy balance sheet, with net assets reaching approximately $271.5 million in the 2023–2024 fiscal year. This surplus is largely driven by consistent, high-volume, small-dollar donations, with total annual revenue often exceeding $180 million.

josefresco 9 hours ago||

Surplus is a good thing right? Long term stability, responsible financial management, healthy margins? If they said one year "You know what? We're good on donations this year." it would never be restarted.

skrtskrt 9 hours ago|||

I think the question might be how much money, effort, and expertise is going into the platform itself.

cursuve 9 hours ago|||

They are rather well funded for a non-profit and the reserves in the endowment fund are very healthy:

https://en.wikipedia.org/wiki/Wikipedia:Fundraising_statisti...

https://wikimediafoundation.org/who-we-are/financial-reports...

cm2012 9 hours ago|||

Wikipedia probably actively wastes $100m per year

ale42 9 hours ago||

On what? I'd be curious to read more (documented sources)

kbolino 9 hours ago|||

Where and how they spent their money is on p. 21 of this PDF [1] which can be obtained from this official source [2]. This is just a high-level breakdown, but it does illustrate that, for example, more than twice as much is spent on "Donation processing expenses" ($7.5M) as "Internet hosting" ($3.1M), and that the largest line item, by far, is "Salaries and benefits" ($106M).

[1]: https://wikimediafoundation.org/wp-content/uploads/2025/04/W...

[2]: https://wikimediafoundation.org/annualreports/2023-2024-annu...

streetfighter64 8 hours ago||

Well obviously salaries will be the highest expense in any organization like this. The more interesting question is if it's salaries to security programmers or teachers at an african womens' coding bootcamp (yes they did spend money on that, and yes it's probably useful, but hardly what people think of when they see those "donate now to keep wikipedia alive" banners). A big percentage probably goes to their CEO who does who knows what.

kbolino 8 hours ago||

There are a couple of ways to approach this information. One is to compare to the past. For example, comparing with 2008-2009 [1], they now spend 3.75 times as much on hosting, but 48 times as much on salaries, illustrating a more-than-tenfold relative growth in salaries compared to hosting. While hosting is not now nor ever was their only relevant expense, it is a good anchor point.

Another key difference over the last 15 years has been the introduction of awards and grants, which didn't exist then but now comprise $26.8M (15%) of their expenditures. This is where most of the ideological/controversial spending actually goes, rather than the salaries per se, but even more to the point, this one line item is more than 3 times their entire inflation-adjusted budget from 15 years ago ($5.6M times 150% CPI = $8.4M) and is still more than if we adjusted their entire budget using the hosting cost as an index ($5.6M times 3.75 = $21M).

[1]: https://upload.wikimedia.org/wikipedia/commons/a/a4/WMF_Annu...

streetfighter64 7 hours ago||

Look, I'm not defending wikipedia, I'd just like to point out that comparing hosting to salaries is a quite strange metric. Hosting is cheap and relatively constant, adding features to the site or paying admins to maintain the quality of edits is scalable. How does throwing more money at hosting make a better product? It's not like the servers can't handle the requests.

Using hosting costs as an index is nonsensical. I wasn't able to find numbers for 2009, but since 2015 the monthly page views have remained almost exactly constant. So you might as well claim that they're vastly overpaying for hosting since inflation from 2008 is way less than 3.75x.

kbolino 7 hours ago||

I picked hosting because it's a line item that exists across all of their budgets, it's a rough proxy for a web business's non-salary expenses, it's a big part of what you think you're donating to based upon Wikipedia's own language in their fundraising drives, and if nothing else, it's way more forgiving to the growth of their expenses than consumer price inflation is.

Ultimately every person has to decide for themselves whether they think WMF is a worthy recipient for their donations, but it is in no way operating on a shoestring budget nor staffed by volunteers anymore.

cm2012 7 hours ago|||

Depends how you define waste if you agree. But you could cut $100m yearly and core Wikipedia would still run great.

https://en.wikipedia.org/wiki/User:Guy_Macon/Wikipedia_has_C...

Markoff 9 hours ago|||

please stop spreading lies, Wikipedia is swimming in money and they have money for years or even decades if they would not waste them on various seminars and other nonsense unrelated to running Wikipedia

SoftTalker 9 hours ago||

Society and culture were fine before Wikipedia. I could argue that they have degraded substantially since Wikipedia came into being (but correlation is not causation, in either direction).

More comments...