[wp-hackers] wordpress security

g30rg3_x g30rg3x at gmail.com
Fri Oct 16 16:53:57 UTC 2009

2009/10/16 Nathan Rice <ncrice at gmail.com>:
> That's exactly the attitude that gives WP the reputation it has for
> security. That everyone who uses WP is a professional and should be
> responsible not only to upgrade their install every time a new version comes
> out, but should also be proactive about checking for upgrades.
Excuse me but, isn't that the actual objective to be running a
self-hosted wordpress blog instead of one in wordpress.com?
so you can control upgrades, plugins, themes, ...?
IMHO, admins that does not want to take matter on their own hands
should be using one hosted at wordpress.com instead of a self-hosted

> Now, personally, I believe they SHOULD do both of those things. But I live
> in reality, where they WON'T do both of those things.
> So, we can either sit cross-armed and blame the stupid users, or we can
> continue to provide them with tools that anticipate their lack of
> provocativeness, like a simple email notification.
There is the wordpress development blog feed, the wordpress planet
feed, the hundred of wordpress-fanatics feeds in lots of languages
just talking about wordpress development and of course news and
security alerts, which you can use with your preferred feed reader.
If that isn't enough you can made (or find one like the one linked by
scribu here) your own plugin and stay up-to-date with notifications
(cause you should also consider not only wordpress update
notifications also you should consider plugins updates notifications
in your wordpress security-plan) about upgrades/updates.
Still not convinced?
Then go to core.trac.wordpress.org/timeline were you can review all
the changes made by the wp-dev-team (it also has feed, so you can be
always update-to-date with the wordpress changes, tickets,
So, you could just sit cross-armed and blame the wordpress dev-team
for not providing enough tools for update notifications or well
actually code a plugin and then propose the core integration of the
functionality (which is actually the way that wordpress consider new

> And no, a plugin won't suffice. It's a extra step that most users won't
> take.
As i say before... if and a admin does not want to take matter on
their own hands then it should consider be using one hosted at
wordpress.com (almost always the bleeding edge of the wordpress-core).
There are lots of ways a wordpress-based site could be broken besides
wordpress itself as i say, you have the plugins, the themes, the
php-interpreter, 3rd-party-sites in a shared hosting environment,
services misconfiguration, weak passwords, ... just to enumerate the
most well-know direct and indirect attacks.

As for the core integration proposal...
+1 if the update notification email also consider plugins in the notification.
-1 if it will only be just the wordpress core updates.

PS: Pardon me, my really bad mexican-english.

More information about the wp-hackers mailing list