[wp-hackers] wordpress security

Nathan Rice ncrice at gmail.com
Fri Oct 16 14:33:45 UTC 2009


I'm sure this has been mentioned before (elsewhere), but it's important to
note that not all WordPress users log into their dashboard every day, and
the vast majority of WordPress users don't subscribe to any RSS feed that
would indicate that WordPress needs to be upgraded.

The automatic updates are fantastic, and are a huge step in the right
direction, but an alert system needs to be put in place so that as soon as
your WP install notices there's an upgrade available, it needs to email the
Admin.

(Forgive me if this is already in motion for the next version. If it is,
then congratulations for being proactive in this regard.)

------------------
Nathan Rice
WordPress and Web Development
www.nathanrice.net | twitter.com/nathanrice | www.modthemes.com


On Fri, Oct 16, 2009 at 10:25 AM, Otto <otto at ottodestruct.com> wrote:

> The latest version of WordPress has no currently known security
> problems. However, that doesn't mean there are not unknown ones.
>
> It's like this: Any piece of software can have bugs. When the
> WordPress team finds one, or is alerted to one, they fix it and
> eliminate the problem. In the case of security issues, that usually
> results in an immediate security fix release. 2.8.3 and 2.8.4, for
> example, were security releases, to fix just found issues.
>
> However, a security release only works if you actually upgrade. A
> surprising lot of people don't.
>
> Also consider that WordPress is a high profile target. A *lot* of
> websites out there use it. So a security hole in WordPress, especially
> an exploitable one, gets attacked by malicious people almost
> immediately, and en masse. So when a release to fix a security hole
> comes out, malicious people create code to exploit it and start trying
> to mass-hack as many sites as they can.
>
> Recently (last month), there was a lot of people getting their sites
> hacked. The hackers exploited a problem that existed in WordPress
> 2.8.2 (and which was fixed in 2.8.3). WordPress was already up to
> version 2.8.4, so the only people who got really hit hard were those
> who failed to upgrade. WP 2.8.3 came out in August, so there was a
> good month or two of lead time before hackers actively exploited the
> problem that had already been fixed. Why didn't people upgrade within
> that month? Good question.
>
> As long as you upgrade early and often, there's no WordPress-specific
> security issues you generally have to worry about.
>
> There are other ways to hack websites though, and most of them don't
> involve WordPress. Somebody can still get in your site and take it
> over through some other means, so security on all other aspects of the
> server environment must be watched as well. If you get hacked, don't
> immediately jump to a conclusion as to how it occurred, because the
> odds against it attacking via a fully-up-to-date WordPress are slim.
> Since I've been using WordPress, I have yet to see any zero-day
> exploits against it occur. It's always been something targeting older
> versions and people who failed to upgrade.
>
> -Otto
> Sent from Memphis, TN, United States
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list