[wp-hackers] wordpress security
Otto
otto at ottodestruct.com
Fri Oct 16 14:25:21 UTC 2009
The latest version of WordPress has no currently known security
problems. However, that doesn't mean there are not unknown ones.
It's like this: Any piece of software can have bugs. When the
WordPress team finds one, or is alerted to one, they fix it and
eliminate the problem. In the case of security issues, that usually
results in an immediate security fix release. 2.8.3 and 2.8.4, for
example, were security releases, to fix just found issues.
However, a security release only works if you actually upgrade. A
surprising lot of people don't.
Also consider that WordPress is a high profile target. A *lot* of
websites out there use it. So a security hole in WordPress, especially
an exploitable one, gets attacked by malicious people almost
immediately, and en masse. So when a release to fix a security hole
comes out, malicious people create code to exploit it and start trying
to mass-hack as many sites as they can.
Recently (last month), there was a lot of people getting their sites
hacked. The hackers exploited a problem that existed in WordPress
2.8.2 (and which was fixed in 2.8.3). WordPress was already up to
version 2.8.4, so the only people who got really hit hard were those
who failed to upgrade. WP 2.8.3 came out in August, so there was a
good month or two of lead time before hackers actively exploited the
problem that had already been fixed. Why didn't people upgrade within
that month? Good question.
As long as you upgrade early and often, there's no WordPress-specific
security issues you generally have to worry about.
There are other ways to hack websites though, and most of them don't
involve WordPress. Somebody can still get in your site and take it
over through some other means, so security on all other aspects of the
server environment must be watched as well. If you get hacked, don't
immediately jump to a conclusion as to how it occurred, because the
odds against it attacking via a fully-up-to-date WordPress are slim.
Since I've been using WordPress, I have yet to see any zero-day
exploits against it occur. It's always been something targeting older
versions and people who failed to upgrade.
-Otto
Sent from Memphis, TN, United States
More information about the wp-hackers
mailing list