A few words about the RISKS of WordPress 1.2, 1.5, 2.0 or anything less than 2.0.4
A Layman’s Guide to WordPress Security Fixes
It seems like people who are running the latest do continue to upgrade, but as for the rest of the WP users – they must be convinced. They will only be convinced when they are told of the danger. That’s where you and I come in.
1.2 was an open door. (I had my index.php hacked 3 or four times under that version.)
1.5 solved that problem, but it reminded me of living in the backwoods of Pennsylvania. We locked screen door with a eye and hook latch. A stick picked up off the ground allowed you to pry the hook up and get in. When I lived on that old dirt road, that didn’t even have a road sign at the end of it, we didn’t have a lot of tourists. But with WordPress, we’re talkin’ the “Information Superhighway” baby. Running a website is like having an exit ramp for your front yard. You want a little more protection than a screen door.
2.0.2 put a regular lock on the door, but that lock could be “jimmied” by anyone who’d ever read a Hardy Boys novel (or a FAQ on hacking)
2.0.3 put a dead bolt on the main door, but left the windows unlocked. The deadbolt is called a NOnce. The only problem was that no-one thought to lock the windows. You couldn’t get into most administration pages anymore unless you REALLY were allowed. However, many plugins assumed that they didn’t have to have their own security checks. This left the plugin configuration pages vulnerable to attack.
2.0.4 finally locked both the doors and the windows . Must plugin configuration pages are now safe. However, you should know that ANY plugin can open a security hole. Make sure you use plugins that were written by people who know at least a little about security issues.
2.0.5 and 2.0.6 each have specific security fixes and should be loaded, but these are all “one up” changes that address a specific problem with a specific section of code. The earlier 2.0.x releases all included broad sweeping security changes. That’s why I have 2.0.4 in my title and not 2.0.6 or 2.1.
My simple searches (now two months old – sorry, I’m not updating them AGAIN) show potentially five million sites in need of an update, and yet no one is talking about 1.2 or 1.5 security holes any more. So, these sites are identified and hacked one by one. Those sites have been basically abandoned to fare on their own. So, it is up to us, as fellow bloggers who know better, to explain the risks to these people. You can help.
5 Second WordPress Upgrade Script – Status & Question
WordPress 2.0.6 is released. Make sure you get this one!
Blogs.CodeGear.com to convert to WordPress MU
About Author
im sorry — youre really long winded, and this isnt new content OR news. And maybe it’s just me, but you seem a little “full of yourself”.
Finally, the “long post”. I’m glad you found time to finish it.
Another aspect to the “hackers seek fame” bit: Of course, defacing the site on “pet rocks” doesn’t bring you fame. But defacing 24.5 million (or even only 10.000) sites on pet rocks and other assorted special interests in a single batch surely brings you fame as well. Doing a Google search for your leet-speak-hackername and getting millions of results for sites you “hacked” makes you a semi-god.
OK, now get this post to Digg, Slashdot, Gadgetopia etc.
To Bleh: I do know what you mean. It is long winded, and that’s why it stayed in the draft folder for so long. It was originally going to be a very technical article describing five attacks I’d picked out. But as I wrote, I kept on thinking about my target audience and had to step back a little further and include more of the foundational knowlege. I’m not targetting the tech people. I’m not targeting those who have already upgraded. Most techies have already upgraded.
So, yes, it’s old news to us, but I’m reaching out to those who have had one or two years. I’m hoping I’ve correctly targeted this article to them. I can follow up on it with more technical stuff in days to come. I’m still talking about attacks on version 1.5 and 2.0 sites, but at least it will be a little more… is geekalicious a word? No… I don’t think it is….