Comments on: 98% of WordPress Blogs Vulnerable

By: Ness

Ness — Sat, 16 Feb 2008 14:54:27 +0000

It crashed when I tried to update from an earlier version to latest one. Didn’t work.

By: Dave Zatz

Dave Zatz — Sat, 09 Jun 2007 12:53:21 +0000

Er make that “Subscribe” to Comments. I need my coffee.

By: Dave Zatz

Dave Zatz — Sat, 09 Jun 2007 12:52:13 +0000

2.2 broke my Respond to Comments plugin. Wonder if B5′s new talent knows anything about that. ;)

By: Jermayn Parker

Jermayn Parker — Wed, 30 May 2007 03:57:17 +0000

yeah I must upgrade, thanks the timely reminder..

Only surveying 50 is not much though

By: docwhat

docwhat — Tue, 29 May 2007 20:14:37 +0000

So how did you detect the version of the blog in your survey? The header in the template? Oooh… or the css href on wp-admin works, too…

I’m not very happy that the software and version is broadcast in wordpress. It’s not so much security by obscurity than hiding from the fricking spammers. When I took out the header, my comment spam decreased over the next 3-4 weeks.

Ciao!

By: Ashish Mohta

Ashish Mohta — Mon, 28 May 2007 05:21:24 +0000

Lol that was funny, 1.5 o boy. But your right. people are so happy with what is running so smooth they never want to take a chance. In the era where taking backup is so easy and to get back to previous state is easier than that…I wonder why ppl don’t upgrade.

By: Carol

Carol — Sat, 26 May 2007 23:57:28 +0000

I know, I know…I should upgrade both blogs. Honestly when I read the instructions my eyes go all googly and I get a piercing pain in my head.

Sigh. I’m a bad, bad blogger.

By: Jenny

Jenny — Sat, 26 May 2007 17:55:24 +0000

I’m waiting for FANTASTICO to let me upgrade. I fear the possibility of screwing up my site. At least this way, it’s backed up from head to toe and I can easily reinstall it.

By: that girl again

that girl again — Sat, 26 May 2007 13:27:11 +0000

Why does the wordpress default theme include the version number in the header and order us to ‘leave this for stats’? I know security by obscurity is no substitute for keeping up to date, but, realistically, not everyone is going to upgrade on a monthly basis and broadcasting your vulnerability in metatags doesn’t seem the smartest move. Theme designers really need to start thinking about the code they’re using and quit blindly copy-pasting from Kubrick.

By: brem

brem — Fri, 25 May 2007 18:02:44 +0000

The thing is, you never know if the new version will work with all the plug-ins. And to backup the DB and files before every update is kind of a pain…

I update… but I tend to be one version behind…:)

By: Aaron Brazell

Aaron Brazell — Fri, 25 May 2007 16:39:34 +0000

Well all the devs blogs have it. In addition, you should subscribe to this or setup a google alert.

By: Dave Zatz

Dave Zatz — Fri, 25 May 2007 16:35:39 +0000

Adam is on target…

If WordPress x.x.x has a vulnerability WordPress the organization should be more active in communicating that to folks running the software. The only reason I knew 2.1.13 had a problem is because I read it here. My Dashboard says 2.2 is available, but it doesn’t say I should upgrade ASAP because there’s a security flaw. Security through obscurity?

Also upgrading can be stressful and a PITA for the less tech savvy. Again without learning abut upgrade scripts here, I’d still be putting it off.

By: Wendy Piersall

Wendy Piersall — Fri, 25 May 2007 16:34:06 +0000

Aaron, you can take partial credit for the fact that I am running 2.2 thanks to your post a couple of weeks ago. :)

By: adam

adam — Fri, 25 May 2007 14:07:21 +0000

just for clarity-
if 2.1.3 is that eminently hackable, why is there no 2.0.11? was the vulnerability only in the 2.1 branch?

By: Aaron Brazell

Aaron Brazell — Fri, 25 May 2007 13:32:56 +0000

adam: It’s on Digg now – and yes you can feel free to Digg it. On the other hand, Digg’s got a big bullhorn so thats another way to make lots of people hear about it.

YTour point about ongoing notifications though is well recieved.

By: Aaron Brazell

Aaron Brazell — Fri, 25 May 2007 13:05:59 +0000

So you’re saying you’d like me to demonstrate on your blog how 2.1.3 is vulnerable? Trust me when I say that I can gain admin access to your blog in 5 minutes.

By: adam

adam — Fri, 25 May 2007 13:05:53 +0000

this might be something that should be broadcast from the dashboard. i doubt that any of the people whose blogs are insecure are reading slashdot, or your blog, or the hackers list.

it’s the people who spend more time actually blogging, than reading about blogging. and it’s the reason that it’s so important that “easy upgrading” gets finished before any more versions of wordpress ship.

By: docwhat

docwhat — Fri, 25 May 2007 12:59:15 +0000

2.2 only came out 10 days ago. People running 2.1.3 are reasonably with-it.

It would be interesting if you check the same sites in a couple weeks to see how they change.

Ciao!

By: Andy Beard

Andy Beard — Fri, 25 May 2007 11:07:45 +0000

Running 2.2 on primary blogs, I have been slacking on a few niche ones and “marketing platforms”

At least I beat your statistics, but most don’t

By: Michael Hampton

Michael Hampton — Fri, 25 May 2007 10:57:53 +0000

Odd, that. Nine out of 10 of my blogs are up to date. The tenth is getting upgraded in a few minutes.