17 Comments

  1. Danny G Smith

    Yes it is very secure. Other platforms, like Joomla, often release patches after the worm is in the wild. We had weeks in advance to upgrade.


  2. Has a WordPress installation which has been setup and maintained correctly ever been hacked? I assume not. I certainly haven’t heard of that happening before.

    So I guess until that happens, it’s safe to assume that WordPress is as safe if not safer to use than most other web software.


  3. Danny is wrong – that worm has been in the wild since well before WP 2.8.4. It just hadn’t caused a flurry of activity on the forums till recently.

    I answered that “its a trick question” because WordPress is not secure. Nor is any other application. All software has vulnerabilities, all web apps are at risk. It’s a simple fact of life that if there is any vulnerability black hats will find it and exploit it.

    WordPress installs are also at risk from vulnerabilities in PHP, MySQL, the server OS, any server apps such as cPanel, phpMyAdmin, Horde or other mail apps…. the only way to have a 100% secure site is to not have one!
    All WordPress users can do is to make their sites as secure as possible and make sure they have a recovery plan.


  4. If you mean WordPress as it should be used, then yes, it is secure.

    If you mean WordPress as it actually is used by most normal users, then no, it is not.

    Some very tech savvy people got caught out by this latest round of attacks; we need to stop blaming human stupidity, accept it as a fact and start addressing what to do about it.


  5. It sounds like all the recent issues were solved before 2.8.3 (and even the problem that inspired 2.8.4 was pretty minor). If people were running older versions, they need to update.

    I wish my warders installation would e-mail people if it detects it’s not running the latest version.


  6. @donnacha

    Wouldn’t it be better for WordPress to keep a mailing list for announcements when a new WordPress version comes? also not just a major 2.x version but all versions even if 2.8.4.0.0.0.0.0.0.0.0.12 came.


  7. Wouldn’t it be better for WordPress to keep a mailing list for announcements when a new WordPress version comes? also not just a major 2.x version but all versions even if 2.8.4.0.0.0.0.0.0.0.0.12 came.

    That’s what the dev blog is for … http://wordpress.org/development/


  8. @Miroslav Glavic – A mailing list would be good but the advantage of a plugin is that each of your installations of WordPress emails you if it wasn’t up-to-date.

    A mailing list would only let you know that an update had been released, it would not remind you of how many blogs you have or what their current version number is. An email coming directly from each installation could also contain a link taking you directly to that installation’s upgrade page.

    Actually, I won’t be surprised if email notifications are soon made a default feature, it strikes me as the easiest way to reduce the number of neglected blogs, taking the viral momentum away from these worms.


  9. @Ryan – Yeah, the dev blog is good but, seriously, even of the minority of people who use RSS (everyone should IMHO, but they aren’t), how many of use are truly on top of our feeds enough to trust it as a way to receive urgent notifications?

    The same goes for Twitter.

    For all its faults, email remains the surest way to get information in front of people quickly and, again, the dev blog RSS feed can’t remind you how many blogs you have out there and what version each of them is.


  10. If people are having this much trouble remembering/knowing to upgrade, then perhaps they should be using an automatic upgrade plugin perhaps?

    Or some sort of SVN setup (I haven’t tried that … yet).


  11. i think wordpress is secure, for sure (secure like it can be) – but users have to be up to date, of course. there are a lot of users out there who really use old versions of wordpress, even after the last security message.. but that`s no fault of wordpress. sorry for my bad english.


  12. It seems that the only way to solve these “problems” is to make WordPress unhackable, which although technically possible is probably not feasable since it would require development plummeting and all efforts being directed to security which would not lead to further development of the software. I guess that’s part of the reason WordPress 2.0 was kept as a stable version for so long, but that route failed as no one in the right mind would bother using 2.0 since it was so far out of date on everything BUT security issues.

    So in a nutshell, I think we should just keep telling people that they can leave their site un-upgraded, but don’t go whining about it if/when you get hacked.

    I got hacked a while ago now. There was no point in me complaining about it as it was entirely my own fault. I simply didn’t bother upgrading one of my sites and so someone eventually found it, hacked it and bingo my site was stuffed. This seems to happen to many other people, most of whom just take it on the chin like they should, but for whatever reason a bunch of people getting in a big huff and try to blame WordPress itself for their own laziness/stupidty. I see little/no point in taking notice of these people except to try to ensure that those who listen to their rants are made aware of the fact that it was not WP’s fault that a site got hacked.

    The fact that there are no reported cases of WordPress installations being hacked EVER bar those which the owner has not bothered to update is brilliant advertising for the softwares security.


  13. Just because nobody reported current versions being hacked doesn’t mean this hasn’t happened. WordPress is used by millions of people but we only ever hear from a very small fraction of these. Power users, especially those who understand risks and know how to take remedial action, don’t go to forums to bleat about their site(s) being exploited.

    An exploit may be reported to WordPress without ever saying that the information was gathered because a site was hacked.

    I had a site hacked years ago. It was running the latest WordPress of that time & after I found the exploit had been publicly reported in milw0rm I didn’t bother notifying the devs.


  14. I`m pretty sure there are zero day exploits working on 2.8.4, and the worm exploit have probably been zero day for a long time. Who knows, maybe years.

    I voted its a trick question. If its safe enough ? Yes, its safe enough, if you dont run a critical site that is likely to get special attention from hackers, and store sensitive information in the backend.

    http://www.number10.gov.uk/ is running WP and it should really attract some hacking attempts. Mike Little at http://zed1.com/blog may have modified it quite a bit though, and its probably on the safest of servers, but running WP safe is possible.


  15. Security vs Features is a trade off in any software.

    I answered trick question, because:

    - out of the box the current version of WP is thought to be secure
    - any version of WP is securable
    - any version of WP can be made insecure

    In IT we always say security is a ongoing process not a single state or point in time.


  16. Thanks for all the great feedback regarding the poll, makes it a bit livelier. I voted that it was a trick question because although WordPress 2.8.4 could be stated to be secure, it’s only secure until someone finds a vulnerability. If the vulnerability is discovered in 2.8.4 it means that it existed during the time I thought the version was secure when really it wasn’t.

Comments are closed.