« Matt Cutts Publishing Duplicate Content on His WordPress Blog | Home
WordPress Security: It’s Getting Worse, Not Better
By Greg | February 13, 2008
Do you rely on WordPress to publish a site or a portion of a site? If you do, the newly cavalier attitude of WordPress developers with respect to divulging specific security exploits that could affect thousands of individual blogs has made your reliance far more dangerous than it ever has been before. Far from a gradually improving security picture, WordPress security is getting worse — much worse.
Ever notice how the commercial WordPress.com platform mysteriously manages to close serious security holes before the rest of the world has the opportunity to install fresh open source code from WordPress.org? Does the WordPress developers’ newly cavalier attitude toward disclosing not just severe security bugs but whole security exploits have anything to do with Automattic’s commercial interest in moving large publishers off the free stuff and onto a commercially supported service? Or is it just a stunningly primitive marketing ploy intended to force individual bloggers to keep checking for WordPress updates every couple of minutes in case the developers have just announced to the world how to hack their blogs?
Once upon a time, new WordPress releases were accompanied by some fairly brief notes about how many bugs had been fixed, and in the case of security fixes, some (I would assume deliberately) vague descriptions of the problems that had been overcome. Sure, additional details have always been available via the open bug tracking system, so those who really wanted to follow the specific details of the software’s development could do so. Naturally, any hard-core hacker intent on wreaking havoc with the world of WordPress would already have been examining every potentially exploitable bug submission anyway, so new release notes wouldn’t be expected to reveal anything they didn’t already know.
Lately, however — as of the 2.3.2 and 2.3.3 releases — the WordPress developers have inexplicably begun announcing to the world the exact details of the security holes which those releases plug and sometimes linking directly to explanations of how to exploit the security holes. The 2.3.2 release contained a link directly to the WordPress trac entry explaining the relevant security vulnerability, while the WordPress MU (multi-user) release that corresponds to the main WordPress 2.3.3 release was accompanied by a link directly to an exploit that enables any user of a WordPress MU system to execute arbitrary PHP code. The main 2.3.3 release announcement itself likewise included a link which was just a couple of further links away from a detailed discussion of exactly how to exploit a (different) major security flaw in WordPress.
Now, if you’re a hacker intent on wreaking havoc in the world of WordPress, none of this in the release announcements would have been new — because, after all, super-intent hackers keep up with this stuff anyway. But the impact of this new determination to tell the whole world how to hack WordPress blogs is at least two-fold:
- Other folks, besides those previously hell-bent on attacking WordPress installations, now have the full details handed to them, making it pretty quick and easy to launch attacks against WordPress installations. In other words, the set of potential threats to YOUR WordPress installation has just been expanded by a huge factor: now every Tom, Dick and Script Kiddy out there can become a threat to your software installation just for the heck of it.
- Ordinary everyday WordPress users (many of whom installed WordPress using Fantastico, which does not get updated to reflect new WordPress releases until days or weeks later) are now left in the position of either having to scramble to address all those new threats the WordPress developers have just created, or giving up on running their own installations of WordPress in favour of some other platform or (ahem!) a centrally controlled WordPress platform which just happens to be run by the same folks who write and release most of the code for WordPress.
Of course someone might say: “oh, but exposing security exploits is a good thing, because it will induce users to do a better job of maintaining their software and will encourage them to update whenever new code becomes available”. OK…yes…it will encourage people to update their code…so that what…so that they can become more secure? Yes, that would be good, wouldn’t it — helping users to become more secure by vastly increasing the potential number of threats against their blogs?
That reasoning is so astonishingly bad that I find it hard to believe anyone would fall for it. So is it, instead, just a stunningly primitive marketing ploy intended to draw more attention to WordPress announcements, in case they might be telling the whole world exactly how to hack your blog? Or is it nothing more than a sign of the steadily creeping commercial influence wielded by Automattic and the budding assortment of commercial WordPress support services, who could stand to benefit hugely by users becoming too afraid to run and support their own WordPress installations due to all those new security threats the developers have created for them?
Who knows? I certainly don’t! But what I do know is that as a direct result of this newly cavalier attitude toward describing and linking to security exploits, WordPress security is getting much much worse, not better.
P.S. To those folks who’ve been asking whether I fell off the face of the Earth after my last posts, the answer is nope! Just been very engaged with other projects lately… I’ve written many posts in my head and then just never got ’round to entering them. Hopefully soon I’ll get things back in balance and appear here at least every so often!
No Comments »
Bookmark and Share: