September 6th, 2009
There’s a lot of news about the recent security problems with old versions of WordPress. If you’re not keeping up to date with WordPress upgrades (the latest of this date is 2.8.4), you are putting yourself at risk.
For those who say that upgrading is a pain, it can be. But if you’re using a bunch of plugins that break with WordPress upgrades, then you’re opening yourself up to attack. Now is the time to ask yourself, do I really need that plugin? Or if you do, is there a newer version that’s better written? The new versions of WordPress make upgrading much easier, which reduces the pain in the future. And no matter how annoying an upgrade may be, rebuilding a site that’s been hacked into oblivion is much, much, much, much harder.
So, take the time to give your WordPress installs some love. It will save you a lot of pain and heartbreak in the end.
June 24th, 2008
The next version of WordPress will make it harder for external clients like BloGTK to work by disabling the APIs they use to function.
Take a wild guess as to how I feel about that one.
Granted, all this adds is one more step for users, but it also suggests making remote access a “second-class” citizen to the WordPress world. You don’t solve security issues by shuffling them under the rug. The WordPress team still has to fix security vulnerabilities — this isn’t saving them any time of effort. It may help some users on the margin by removing one vector for attacks, but it’s not going to provide a big enough benefit, especially given the myriad other ways in which WordPress can be compromised.
If WordPress wants to get serious about security, they need to apply this same logic everywhere. Malicious themes are a huge problem — so user should have to explicitly enable theme support. Malicious and poorly written plugins can open WordPress wide open to attack — so before any plugins can be used, users should have to explicitly authorize plugin support. The list could go on.
This may sound harsh, but the WordPress team is taking the Windows Vista approach to security. Adding steps for users just makes things worse because it tends to engender a false sense of security. The real security solution is doing old-fashioned things like making sure that you’re sanitizing every piece of input you get — not annoying users and the developers who depend on your ecosystem.
If WordPress can’t adapt, people will move on. WordPress flourished when MT lost its edge — and back then WordPress was not the better package, but it had the mindshare of the community. The next WordPress is waiting in the wings, and if WordPress keeps taking such a mistaken approach to security, they could easily fall behind.