WordPress 2.04 Beta 2 includes a vital security fix.

Quick someone call Sam!
Original image by Andrew Krespanis

Thanks to some drastic and controversial actions taken by SpamKarma creator Dr. Dave, a large percentage of the blogging populace has been alerted to a security hole in WordPress. He even went to the effort of activating a warning message that was sent out to everyone who uses his SK2 plugin. This has resulted in a lot of fear spreading amoung a huge number of bloggers. This sort of thing just spreads exponentialy. Here’s a quasi random sampling of two dozen of the first posts on it: .......................

And these were just from the English blogs that posted about this on the same day as the notice going out. The neat thing is that these are some of the most on-top-of-things bloggers out there. Those 24 blogs have some great content and gread visual styles. The are well worth perusing…

Anyway, as you can guess he’s taken plenty of heat for this, because loads of people are now searching for the hole and trying to figure out how to exploit it. Most of these people just want to protect their own blogs. Others might be searching so that they can use this exploit against others. There are certain people I would not like to be right now…

The good, the bad and the ugly

The most common fix being spread out there is to disable “Anyone can register”. The good news is that this will eliminate the possiblity of new people exploiting this issue. The bad news is that I would wager most bloggers don’t know the hearts of even HALF of their members. The ugly truth is that I bet many of the WP bloggers out there (the pajama media in particular) have members that are REALLLLLY pissed at them right now. Hey, its ugly but it happens. Now that this exploit is known, do you really trust that unknown/angry member to not go and read up on the details? Should you delete their account; so that they are even angrier the next time an exploit is announced? Don’t look at me, I can’t answer that one for ya…

Another alternative

The really good news is that Ryan Boren released the beta version of WordPress 2.0.4 on Sunday. The Beta2 version of the release includes a fix for this issue.

Here’s what Ryan said in a WP public list:

To recap, there is a bug in core WP involved that I believe I’ve fixed
for 2.0.4. This is the core API bug Dave is talking about on his blog.

I was in error before to say that this is a problem to be fixed solely
by the plugins. There are some plugins that need help beyond the fix to
the core, but the core fix should cover most plugins. Sorry for the
confusion.

And with that, I really need to get some sleep. Later all.

If you want to test the beta release, the beta2 beta3 version is available for download here:
zip
tar.gz
Please be aware that this IS a beta release and has not been tested against all common plugins and themes.

That said, WordPress 2.0.4 is under some intense scrutiny and *MIGHT* be released in just four days. You can see that for yourself here. In fact, you might want to keep that link around. Modifying that link is much easier than asking around “When will WP x.y will be out? Huh? Huh? Huh?” If there is an answer to that question, there will be a link like that, showing the date. Can you figure out what the link for the 2.1 release is?

WP 2.0.4 Status and Some Details

Many people have been running 2.0.4 for ages now, but it is still under development. There have already been a number of changes and fixes since the beta2 version. Beta2 will not be the version that is released, but you might prefer running it to turning off your membership.

This fix is important, but the danger is as all encompassing holes that existed prior to version 2.0.3. It involves an assumption, by plugin authors, that the WordPress core takes care of all security concerns. The fact of the matter is, a WordPress plugin should be written so that it is secure in and of itself. It only makes sense. This fix enhances the security around plugins. But plugin authors should still be aware that they must always make certain the logged in user has the rights to do the action the plugin is about to perform.

Likewise, WordPress bloggers should be aware that that the more powerful a plug in is, the more risk you expose your self to if someone gets to it through a security hole. This was just as true before this hole was disclosed as it is now.

You are your own blogs best protection

For example, if you really think your WordPress blog needs to be able to restructure all of your table, did you chose a plugin made by someone that looks like the have professional experience in web security or was your plugin written by a highschool senior or college freshman? I’m just asking… And so should you…

Now, there has been so much FUD that everyone is in a panic. I’m not saying that you should do nothing. You might actually want to disable the creation of new user accounts. You might want to disable some trouble users. You might want to update to the beta 2.04. Or you might just want to take a breath and realize that chances are, no one is out to destroy you or your blog – even just for the fun of it.

The fact of the matter is that there are still thousands of blogs out there running version 2.0.2 of WordPress (100,000+ results from google) and earlier despite our best efforts to get people to update and realize the serious nature of the risk. When there are published security holes allowing allowing mass deletions of posts, there are much easier targets with more bang for the buck than your WP 2.0.3 blog.

You ARE running at least 2.0.3 right?

UPDATE

Beta 3 was released 7 minutes ago at 12:38pm EST/16:38 UTC. I’ve updated the links above to point at beta3. The only change between b2 and b3 is a minor fix I tested and improved for Ryan last night. In some rare circumstances the author link at the bottom of the posts might have been incorrect. Those of us without themes that support multiple authors would be unaffected by this change. So, there’s no real reason to get b3 if you have b2 installed already. The release MAY come sooner than I mentioned in this article. Perhaps by as much as 3 days sooner…but I wouldn’t mind another evening just to try to exploit this version.