A few words about the RISKS of WordPress 1.2, 1.5, 2.0 or anything less than 2.0.4

Why isn’t everyone talking about it? Where’s the hubbub?

Well, right now, the holes in 1.5 are largely considered to be “old news”. Any time anyone posts information about an attack, the one line reply is something along the lines of “That was fixed in 2.0.3”. That closes the issue and so the news travels no further. It seems that as soon as a security release goes out, there is there is a three day window in which the blogs post about the update. After that, no one talks about it because they are just repeating information found on other blogs. And no one wants to do that. No one wants to blog old news and today, anything over a week old is OLD news.

So, this information stops spreading very quickly. After about one week, security risks in old versions are simply news too old to talk about. Many people are angry at the WordPress head honchos, right now, because of this conundrum. Those in control of the WordPress source code keep a very strict grip on rumors of security holes.

I’ve been reading stuff by Matthew Mullenweg, WordPress’s creator and head honcho, long enough to believe that he really is a pretty good guy. There are people, however, who think that this the idea of keeping a WordPress secure by making certain the vulnerabilities are obscured, only works to Matt’s advantage.

Back in July, you may have heard that Dr. Dave, author of the popular Spam Karma 2 plugin called it quits. He used his plugin to spread news to all of his users. He was rather frustrated at the time. Since he hasn’t posted a word about WordPress in the last six months, I doubt that’s changed.

In a post entitled Critical Announcement affecting ALL WordPress users, he wrote:

“Why don’t you leave that up to the Big Guys Who Know What’s Best For You®™ and go back to getting smashed on gin somewhere under a Parisian bridge then?”
Take your pick:
Because over the past year of distant involvement in the WP community, I have come to question and, well, often outright disagree with the way the Big Guys Who Know What’s Best For You®™ handled similar problems in the past.

Because, all modesty set aside, I am not sure how their strategy for handling such problems (which I have seen in action in the past) has proven better at containing disaster than the one I adopted here.

Or perhaps simply because, as some Big Guys Who Know What’s Best For You®™ have implied in one helpful bit of Shoot-the-messenger communication, I am an attention-craving moron with nothing better to do with his time than scare his fellow WordPress users into unchecking one single option in their admin screen.

This discussion took place on the lists as well as on Dr. Dave’s blog. In retrospect, it seems, to me, Dr. Dave believed that some of these security concerns were hushed because it was bad publicity for Automattic. Dr. Dave’s viewpoint is perhaps that WordPress is a big public relations Tool for Matt’s Automattic company and why should he help market Automattic if he gets nothing for it? Dr. Dave announced his plans to leave the WordPress world behind and hasn’t spoken of it since as far as I can tell.

Being an optimist, that is not my viewpoint. I believe that Matt, Ryan, Mark, Lloyd and the others are keeping the details of any security risks quiet, out of protection for the WordPress user base. I think they proscribe to the idea that “The more people that know of the attacks, the more your site is at risk of an attack.”. There’s a good bit of logic to that. If more newbie hackers had written out instructions for WordPress attacks, wouldn’t more of them experiment with attacking sites? Did reading my description of the traceless attack make you think about details you hadn’t thought about before? If so, maybe obscurity IS better. To a degree.

Is the truth out there?

Personally, I think the truth is somewhere in between those two extremes. Neither is Matt THE Greedy S.O.B. Supreme (Big Guy Who Knows What’s Best For You®™), nor is publishing walkthroughs, for every possible attack, the right thing to do.

In Matt’s favor, attacks happen mostly to bring fame to the attacker. Deleting posts off of someone’s personal blog isn’t going to prove much of anything to fellow hackers. In fact it would be a waste of time compared to defacing a site. Add a message proudly shouting “Hacked by such and such” and you now appear in Google. (Everybody say “Oooooooo”…) This keeps us safe. Most WordPress users have little to worry about. Until their blog becomes VERY popular, the bang for the buck isn’t too high.

Once a site is big and well known, then it might be worth attacking just for the heck of it. Matt’s personal blog was hacked earlier this year only because he is a celebrity in the WordPress world and the hacker wanted to brag that he did it. Your site on pet rocks, probably doesn’t have his site’s fame. So, Matt’s at least partially right that keeping these things under wraps for a period of time prevents the novice hackers from doing random damage to sites.

However, where that theory breaks down, in practice, is at the ends of the spectrum. One end involves the fact that WordPress has gotten a lot of corporate interest this year. Sites like 1and1.com, yahoo, tiger direct, the New Your Times (I believe – it was one of those bigboys) and several other national magazines and newspapers all run WordPress blogs now. 1and1.com, for one example, still deploys new blogs using version 2.0. If they knew the true vulnerabilities in these versions, would they still deploy using them? My searches earlier in this article showed that more unsafe WordPress blogs were being deployed than safe ones.

The other end of the spectrum is all of the non-techy people running their own blogs. The number of small sites out there running old versions is staggering. These are the people that DON’T read the news groups. They DON’T read wordpress developer blogs. If they aren’t told in plain English what the danger is, how are they to know?

That’s why the approach has to change. We HAVE to get the word out about the need to update.