I feel sorry for the WordPress developers, but I feel even more sorry for their users.
Over the past year WP users who have been keeping track of updates etc., have had to update and upgrade their installs so many times that it’s not funny.
The way I see it WordPress users fall, broadly speaking, into two main categories:
- Casual users
- Geeks
Casual users want a CMS to use for their website or blog. They like the way it’s easy to install and they’ve heard good things about it. Lots of webhosts offer easy installers for WordPress.
Lots of designers like working with the WordPress templates.
Neither the casual user or the designer is going to be signed up for security alerts from Secunia or Security Focus or any of the other security sites.
Geek users are probably more likely to play with stuff and are probably going to install lots of plugins.
Now a hardcore geek might check into the source of a plugin to see if the code is “sane”, but the average blog jockey probably isn’t that concerned with security.
They’re not going to worry about the security holes that CMS with php code in its templates could actually cause.
Why would they?
So WordPress has had security issues in the past.
Surely the latest version resolves all of these?
Surely a major update would bring more than just eye candy?
Seemingly not.
According to Security Focus WP 2.5 is open to SQL injections.
What does that mean in English?
It means, simply, that an evil person could inject data into your blog’s database ie. content
There’s a longer article discussing some of the implications over here with some back and forth between the author and Mr WordPress – Matt Mullenweg.
In typical fashion Mullenweg tries to attack the author instead of addressing user concerns.
A simple “we aren’t aware of any issues” or something along those lines would have been so much more graceful, but no, that was not the case.
I’m no longer a WordPress user, so I can’t tell first hand, but is there a glaring big flashing light going off on WP installs if the software is out of date and needs to be upgraded to address security issues? Is there?
Open X has had that for ages. It practically forces you to upgrade as soon as you login to an out of date install. They also don’t mind telling users about security holes, instead of adding them as an afterthought.
Now whether or not the latest security hole is a real danger or not is irrelevant. It doesn’t matter. Seriously.
What does matter is that people trusted WordPress, but are now being embarrassed when their sites are defaced or hijacked
Transparency and honesty nearly always win out and taking a proactive stance on webapp security should be part and parcel of any developer’s modus operandi. Shiny interfaces may help the bubble 2.0 crowd, but when the bubble bursts it would be nice to see things with a proper foundation.
(And WP isn’t the only webapp with a dire security history – I’m looking at you Joomla and you PhpBB)
not quite like that, but yes – there is a message that displays across the top, “A new version of WordPress is available! Please update now.”, with the last sentence linked to the WP downloads area.
I remember pointing out a WP security hole myself a few years back (the fact that I could ‘include’ an arbitrary apache-accessible file on the computer using the theme templates). However, in order to exploit this, you needed to have access to the themes admin anyway, which implies that I had permission to read that file anyway.
personally, I haven’t had any problems that I’m aware of, and I’ve been using WP for years, upgrading only occasionally.
Sorry if that thread is overly verbose, it’s probably because I know Kevin in person.
1. To the best of our knowledge, the SQL thing you link has no basis in fact and version 2.5 blogs are fine.
2. Since the 2.3 branch, which had 1.9 million downloads, WP has included new release notification at the top of every page right under the menu, and spanning the width of the page, on every page in the dashboard.
I don’t think Matt acutally realises it, but he is _incredibly_ bad at responding to criticism, especially when Automattic or WordPress actually _has_ done something stupid (user registration security hole fiasco, dodgy linking tactics on WordPress.org and so forth). I think he needs to realise that most people who raise issues aren’t doing so because they personally dislike him or his company, but because they actually think they are problems.
Most more sensible companies _like_ to be told what they are doing wrong, or what their users perceive to be their doing wrong. The whole really, really defensive thing doesn’t look good.
On the LxAdmin VPS I have our DNS server and my own personal sites on, the autoinstaller still has wordpress at version 2.2. On my own Direct Admin boxes, we’ve actually removed the autoinstallers and do all software installs and upgrades inhouse. Sure, it takes a lot away from our bottom line but 1) we know what’s on the boxes and 2) everybody gets upgraded except for those diehards who want to do it themselves. (and we lean on those) Those autoinstallers lead to lot of problems because endusers think they’re ok if they use them and they’re really not.
Mike
Some of the auto-installer vendors provide hardened versions of the scripts they provide. I’m not sure if that’s the case with the WP installer you’re using and I know it isn’t with the Installatron installers either, but Plesk has a non-standard installer which *may* be more secure.
Michele
Michele, searched for “wordpress” on your blog search after our quick Twitter chat – figured you’d have written about it somewhere!
Anyway, like I said I’m interested in any bad comments people make re WP as I use it almost exclusively to design (or should that be install!) sites for clients and I think its the best pound for pound cms out there and is particularly easy to use. I must have built 40 odd sites this year with it and I havn’t heard of one of them being hacked. WP allows me to build better, seo’d sites quicker and cheaper than most other designers so I love it!
My own blog is WP based and it gets a lot of traffic and spam but I’ve never had an issue. Upgrading the code and plugins is easy and I do it regularly.
Irish WP contributor Donnacha O’Caoimh has written a good hack scanner available at – http://www.ocaoimh.ie/exploit-scanner/