A recent TechCrunch post makes it sound as if WordPress security releases are desperately following close on the heels of widespread attacks. The author, Nik Cubrilovic, then seems to suggest that open source applications are particularly at risk:
Hackers are taking advantage of the open-source nature of the software to analyze the source code and test it for potential vulnerabilities. It is then left up to developers and users to detect, track down, and then close off the vulnerabilities in the code that attackers are using. The pattern seems to be that when a new hole is found, it is broadly exploited, then developers rush out a patch and a new release.
Agreeing with many of his overall points, such as the necessity of making frequent backups and keeping up-to-date, I thought it was interesting to note that the specific sites he mentions do not seem to support the premise that they fell even while diligently being updated.
By checking the source of these sites as cached by various search engines, you can see what version of WordPress they were using recently. The first one Cubrilovic mentions was “hacked” back in January, when it “was running the most recent version of WordPress available at the time.” Apparently that attack didn’t inspire its maintainer to keep up with updates, as a cached page shows that as recently as the end of May it was using a version of WordPress, 2.3.3, that was seven weeks outdated.
Cubrilovic also links to another compromised site, whose owner admits that he had “been running an ancient version of WordPress and had meant to upgrade, but it never seemed urgent.” At another he points out, the owner says “I was already at the latest, 2.5.1, and still got hit.” However, a cache search shows that as of June 1 the site was still using version 2.5, five weeks after the 2.5.1 security release, suggesting that the attack came prior to the upgrade. TechCrunch itself as of three days ago ran a version of WordPress over 10 weeks old.
Cubrilovic makes it sound like a WordPress user has to follow every bit of news about WordPress to stay safe: “For users of WordPress, backups are essential, as are frequent updates, monitoring your blog usage and tracking the official WordPress blog and other blogs for news of any new security holes.” That’s not bad advice, but keep in mind that since WordPress 2.3 there has been a prominent, automatic reminder to upgrade whenever a new release comes out. In each of the examples, the users had to ignore week after week this message at the top of their admin screens:
One Comment
We’re both on the same wave length. I had to spend and hour yesterday writing a defense of wordpress for a few suit and tie types.
Old software of any kind is vulnerable, by it’s nature. To me, the article didn’t completely add up. If there real is a new problem, he should be clear. If there isn’t, then it’s just old news.
He hasn’t responded to my comment on Techcruch, but then he appears to be down under, so I figure he’ll appear this evening.
I blogged it here… http://www.allthingscahill.com/2008/06/techcrunch-says-wordpress-a-massive-security-risk/