Over the weekend, news quickly spread throughout the WordPress community of a worm that was taking advantage of older versions of WordPress. I found out about the problem through Lorelle’s twitter account where she linked to an article on her blog covering the details of the attack. Mark Ghosh of WeblogToolsCollection.com quickly followed up with a post of his own acknowledging that the plugin competition blog had been compromised. News of the attack quickly spread with over 150 posts in this WordPress support forum thread alone, but unlike so many people, I had no need to panic since this site is upgraded within a day or two of a release whether it’s security related or not.
I spent most of the weekend reading all of the coverage this series of attacks was gaining. Most notable was a post by Robert Scoble, a tech evangelist who forgot to apply the basics of security to his self-hosted WordPress site and ended up burned. Even more interesting was the series of exchanges between Robert Scoble, his followers on FriendFeed and Matt Mullenweg which you can read here.
While reading all sorts of comments published on blogs discussing the attacks, I couldn’t help but notice how many short sighted WordPress users there are in existence. I must have read over a dozen different excuses for why a particular site was not upgraded in a timely fashion. It seems functionality trumps security. However, Dave Coveney made a great point in the forums yesterday in that although everyone was being told to upgrade to solve their problems, being secure goes far beyond keeping WordPress up to date. Just because WPTavern is running WordPress 2.8.4 doesn’t mean that I’m safe. I’m just ‘safer‘.
WordPress is web based software. The speed at which things move is incredibly fast. I expect new versions of WordPress on a regular basis. If there is a new version that fixes one line of code to combat a security vulnerability, I want that code released ASAP so I can have it running on WPTavern. WordPress has added the ability to do a one click upgrade which to this day has worked flawlessly for me. I know it doesn’t work for 100% of the people out there but even if it works, it’s as if people can’t even press a button to initiate the process. It’s getting to the point where the only way to make it easier to upgrade WordPress is for someone to do it for them, probably without a price.
Broken plugins are no excuse to stay on a particular version of WordPress, especially when it comes to security. If your website truly depends on a particular plugin to function, send a note to the plugin author to let them know it’s broken or better yet, hire a developer to build and maintain the plugin for you. Plugins and to a lesser extent themes have to continuially evolve with their parent software. That’s just the way it is. Unfortunately, there is a perception amongst the general WordPress userbase that upgrading is most certainly going to break plugins. While that is a risk, I don’t think it’s as bad these days as it once was. Besides, there are hundreds of guides that have been written which explain how to create a test environment to mimick a public site to test new releases to see if plugins break or not. Although if it’s a security release, I would upgrade now, test later.
What I think this all boils down to is a lack of responsbility from a lot of WordPress users. Everything can not be handed on a silver platter. Running a WordPress powered site requires effort as well as the responsibility to make sure everything is on the up and up. Quite frankly, if you’re running a WordPress powered site or multiple sites, you should be tuned into the WordPress development blog as that is where all the information is published regarding new releases. Speaking of the development blog, please read Matt’s latest post which is a breath of fresh air regarding the latest round of attacks and why upgrading is an important step in the grand scheme of things.
Before I let you go, it’s important to note that had the majority of people actually upgraded their sites to 2.8.4 prior to the worm being released on the web, we wouldn’t be talking about the attacks that took place during this past weekend. Oh and if you have yet to upgrade, get 2.8.4 now.
I realize people do a lot of custom stuff with WordPress, but it’s been a long time since I had an upgrade not go smoothly and it’s been a decent while since an upgrade broke a critical plugin as well.
I don’t know if somehow the web just has a long memory of back when those things happened frequently or I’m just not the typical WP user but I have plenty of sites and it’s not a big deal to keep them updated.
Annoying? Yes. But not that big of a deal. For someone like Scoble to call out WordPress despite the fact that he wasn’t uptodate is just irresponsible (although unfortunately also quite typical of the drivel that’s spewed by him on a regular basis).
Now, I don’t think Matt handled it all that well getting pissed at rackspace but the point remains, if you keep things updated, you avoid a large percentage of the issues that hit WordPress users.
I don’t mean to drone on, but I think it’s time for Automattic to invest in WordPress security more heavily. I understand it’s open source and always going to be under attack, but hiring someone with a devious mind to try and break things would seem like a great investment and would go a long way to assuring worried users that WP will remain safe and stable.