[wp-hackers] Plugin update & security / privacy

[Matt Mullenweg]

Moritz 'Morty' Strübe wrote:
> I know this will not change until Monday, but is it really necessary to
> transmit the URL?

Your blog URL and version has been sent by default for 4+ years to every 
ping service in the world, including Ping-O-Matic, every time you make a 
post. Of course you can turn that off, just like you can turn update 
notification off, but statistically no one does.

The only new information being sent by the update checker is PHP version 
and a list of plugins. If you don't like that feature, please install a 
plugin to disable it:

http://wordpress.org/extend/plugins/disable-wordpress-core-update/
http://wordpress.org/extend/plugins/disable-wordpress-plugin-updates/

Of course don't forget the WP dev blog and planet RSS feeds, and most 
importantly the incoming links feed which ALSO transmits your blog URL.

I would also recommend disabling the updates in Mac OS X, Firefox, 
Windows, Thunderbird, Adobe Photoshop, and any other third-party 
applications you have. As all of those are tied to your personal IP and 
not your server IP they have far more implications for privacy.

> If that database
> gets public and you find a security bug in one of the plugins - there
> are enough - you can start a _very_ effective attack!

Such an attack would not be more effective, it would just be more 
efficient. Historically, however, scripts that attack against WordPress 
don't bother checking the version or if a plugin is there or not, they 
just seek out every WP blog and check the specific capability or 
vulnerability.

Nevertheless, we're beefing up the infrastructure and security of 
WordPress.org, which Barry is working on right this instant. In 2 years 
of running WordPress.com and Akismet, two extraordinarily 
high-visibility targets, there has never been a problem on a server 
Barry set up. The only problems we've had (once on WP.org, once on 
PhotoMatt) have been things I set up, and I'm not setting up these new 
ones. :)

I think this feature is actually going to dramatically improve the 
security of WordPress overall. We all saw the survey that 95% of WP 
blogs were vulnerable. That didn't even look a plugins. I think the 
survey was flawed, but you still can't deny that for most people knowing 
there is an update and actually updating just doesn't happen, and this 
is a necessary first step. If the only "trade-off" is sending an ALREADY 
PUBLIC blog URL to wordpress.org, then great!

I would like to remind the participants of this thread that WP.org != 
Automattic, so to be fair to the members of both please distinguish 
which you're referring to.

-- 
Matt Mullenweg
  http://photomatt.net | http://wordpress.org
http://automattic.com | http://akismet.com