A few words about the RISKS of WordPress 1.2, 1.5, 2.0 or anything less than 2.0.4
Introduction
I’ve had a number of people use my “Upgrade your sites to the latest WordPress in 35 seconds.” post and respond to it via comment, email and pingback. I followed the first pingback and left this comment on Michael Keukert’s blog “:technozid”
You upgraded from 1.5, that is GREAT! I have to tell you that any active site out there that is running anything lower than 2.0.3 really scares me. Prior to your update, I could have removed ALL of your hard work on this site, removed the evidence I did it and there wouldn’t be any traceable evidence in you Apache logs either. That’s not a good situation to be in.
So, if I helped one person upgrade from 1.5, it is a very good day and that post was worth it!
Michael, considering himself an Internet Professional, knows a thing or two about network and website security. In reply to my comment, he wrote:
I could well understand (and actually I was very aware of the risk) that someone might compromise my WordPress installation and probably even erase not only the content but also some files. However I have a hard time accepting that this could be done WITHOUT A TRACE, not even in the Apache logfiles!
Michael wanted to know why he wouldn’t have heard of such a security hole. And, why, if these security holes were known to exist, hasn’t there been a big discussion on this? Basically, why haven’t any of the update announcements explained how critical they are?
He has a point.
In the 2.0.3 announcement , we were told:
This is a bug fix and security release, and is recommended for all WordPress users. In addition to an issue that was raised on Bugtraq a few days ago, we’ve also backported a number of security enhancements from 2.1 to further enhance and protect your blog.
We thought: Ok, a couple of enhancements were backported. Sure, it sounds like it might be worth upgrading, sometime… That doesn’t sound all that news worthy does it?
Meanwhile, 2.0.3 introduced the most important WP security feature ever added. It renders most attacks impossible. Would you guess this from the description?
In the 2.0.4 announcement , we were told:
This release contains several important security fixes, so it’s highly recommended for all users. We’ve also rolled in a number of bug fixes (over 50!), so it’s a pretty solid release across the board.
[…]
Since this is a security release, if you have any friends with blogs make sure to remind them to upgrade and lend a hand if they’re not too savvy. We’re all in this together.
We thought: Well, again, that doesn’t sound all that scary, even with the Red Green quote. I guess maybe I should upgrade sometime. (Then we promptly went back to our everyday life.)
And now in 2.0.5, we were told:
It’s new release time. The latest in our venerable 2.0 series, which now counts over 1.2 million downloads, is available for download immediately, and we suggest everyone upgrade as this includes security fixes.
We thought: Look, it’s still working fine for me. I’m sure not gonna change now…
All in all: So what!?!?!
Now, if the exploits ARE as extreme as I have said, why aren’t the announcements more extreme? This is due to something called “Security Through Obscurity” and I’ll get back to that in a little bit. The long story, made short, is that each release is made to sound not as important as it really is, in order to keep you safer, at that time. The problem is, there is no way to go back now and say “BTW, even though I didn’t say so, at the time, those releases were REALLY important.” And that, my friends, is what this article is meant to do.
About Author
im sorry — youre really long winded, and this isnt new content OR news. And maybe it’s just me, but you seem a little “full of yourself”.
Finally, the “long post”. I’m glad you found time to finish it.
Another aspect to the “hackers seek fame” bit: Of course, defacing the site on “pet rocks” doesn’t bring you fame. But defacing 24.5 million (or even only 10.000) sites on pet rocks and other assorted special interests in a single batch surely brings you fame as well. Doing a Google search for your leet-speak-hackername and getting millions of results for sites you “hacked” makes you a semi-god.
OK, now get this post to Digg, Slashdot, Gadgetopia etc.
To Bleh: I do know what you mean. It is long winded, and that’s why it stayed in the draft folder for so long. It was originally going to be a very technical article describing five attacks I’d picked out. But as I wrote, I kept on thinking about my target audience and had to step back a little further and include more of the foundational knowlege. I’m not targetting the tech people. I’m not targeting those who have already upgraded. Most techies have already upgraded.
So, yes, it’s old news to us, but I’m reaching out to those who have had one or two years. I’m hoping I’ve correctly targeted this article to them. I can follow up on it with more technical stuff in days to come. I’m still talking about attacks on version 1.5 and 2.0 sites, but at least it will be a little more… is geekalicious a word? No… I don’t think it is….