grey-xl

WordPress Security and How I’m Going to Take All Your Money

So, it’s happened again. Another vulnerability discovered in WordPress that is now becoming the raging topic around the blogosphere. Is WordPress insecure? Should people move to another platform? If we stomp our feet loud and enough and whine enough, then we can make WordPress look like a ridiculous piece of software that only amateurs should use.

I call bullshit. Here’s why.

The current security paranoia is around an exploit that has already been fixed! That’s right, it was known and fixed two releases ago. The problem is, the people complaining about WordPress’ security are running old software. They didn’t bother to do the responsible thing and keep their blog up to date!

See, WordPress has two different types of releases. Major releases (2.5, 2.6, 2.7, 2.8, etc) provide new features. These releases keep the software innovative, bringing new functionality to bloggers every 4-6 months. Security releases (2.8.1, 2.8.2, 2.8.3, 2.8.4, etc) are arguably more important than major releases because they keep you safe!

Bloggers who ignore these security releases do so at their own risk.

And because of that, when you are hacked, I will charge you an assload of money to fix you up! Believe it.

There is nothing more I want to do on a holiday weekend that also happens to be my birthday weekend, than to fix peoples blogs who didn’t bother to take care of themselves. It’s personal responsibility. Oh, I’ll do it. You won’t like the bill, though.

If you’re using WordPress 2.7+, as said loudmouth blogger was, it’s so simple to keep things up to date with the auto-upgrade button. WordPress even informs you when your version is out of date and provides a direct link to the upgrade page. If you ignore that, it’s not my fault… it’s yours.

For clients hosted on my servers, you are up to date. Why? Because I make sure of it. For the rest of you, do your part, so I don’t have to. Because my part will be making your blog secure, but it will also be sending you a sizable invoice.

Cheers, and happy Labor Day!

Aaron Brazell

Aaron Brazell is a Baltimore, MD-based WordPress developer, a co-founder at WP Engine, WordPress core contributor and author. He wrote the book WordPress Bible and has been publishing on the web since 2000. You can follow him on Twitter, on his personal blog and view his photography at The Aperture Filter.

20 thoughts on “WordPress Security and How I’m Going to Take All Your Money

  1. I completely agree, Aaron.

    People are making a bigger deal of this than they should be. Stay up to date you’ll be fine with security updates. You should be staying up to date no matter what ANYWAY.

  2. It amazes me that there are all these expert on technology and social media but they have such a poor understanding of the tools that are out there. Sure they can talk about all this conceptual stuff, use their position to get access, and draw a large following but don’t have the ability to hit a freaking button to update their blog.

    The issues with plugins that are going to break because they don’t work with newer versions of WordPress is also pretty poor. 9 times out of 10 those old plugins that you were using have competitive plugins that are newer you just have to do some research.

    It is easy to be lazy and point fingers over educating yourself about a tool you are using and have a better understanding of it while protecting yourself.

  3. Aaron,

    The problem is that upgrading isn’t 1-2-3. The auto-upgrade 1) doesn’t work for many of us (and I’m on an expensive dedicated server at Rackspace) and 2) doesn’t ensure that the site won’t break when we upgrade.

    Moreover, upgrading breaks Themes. It breaks plugins. That means a lot of time and, for those of us paying people to do it, money. Especially if we have multiple blogs. And there’s an “upgrade” or “security fix” every time I turn around. You built Manzine for me just a few weeks ago and there have already been four version changes. It’s just ridiculous.

    The only reason we should have to upgrade is to take advantage of improvements to the software, not because software was released that was dangerous to the community.

  4. Leaving your blog unpatched for security patches is akin to having an Windows XP workstation connected to the Internet with no anti-virus and no operating system patches. I am of the opinion that an ounce of prevention is worth a pound of cure. Still, as a platform gains notoriety and usage, one should expect its exposure to hackers to increase.

    Minor updates should not break themes and plugins. We all know that it does happen from time to time. If, in fact, they do, then it is pretty clear that the theme or plugin was using a non-standard way of doing its work. In other words, the theme or plugin was clearly doing something it should not have been doing. Still, developers are kept abreast of these issues, and I would expect the impetus to be shared by them as regards to deploying a fix to their theme or plugin.

    To draw a similar comparison, I would most certainly complain if a Windows security patch is installed and it breaks one of my main applications. I also think that the developer of my application is on the hook for getting a timely update ready to address this breakage.

    Maybe it’s my systems background, but I really think that some of the complaints are truly a tempest in a teapot. I was once fearful of the WordPress patch and upgrade routine, but even doing it manually is pretty easy.

    (Unrelated: Happy Birthday, Aaron!)

  5. Not you, James.

    But upgrades don’t break themes. You need to not have your theme in the default directory. Name that directory something else and it won’t break. :)

    Plugins rarely break. We had big plugin breaks for WP 2.3 because of the inclusion of tags and then in 2.7 with the new backend. Very little broke in 2.8 despite a new Widget API, etc. Security releases never break plugins if those upgrades were done as incremental (i.e. WP 2.8->2.8.4)

    And you’re wrong about the reason you should upgrade. There is no software on the planet that doesn’t have flaws. Don’t buy into the hype. Stay on top of upgrades.

    Again, though. This isn’t about you. This is about the people who are crying on Twitter about WordPress security, and who are writing posts on their blogs about how unsafe they feel when they haven’t done what they need to to ensure their own protection. WordPress 2.7 was KNOWN to have wide open holes that have been fixed. But if Scoble and others won’t do what they have to do to protect their blogs, it’s not my problem. :)

  6. James, if auto-upgrade isn’t working let’s try to figure that out, either there’s something we can improve in WP or your server is configured incorrectly, which the expensive folks at Rackspace should be to fix.

  7. Hey Aaron,
    I think your right to say that people should keep themselves up to date.
    People would say your crazy if you still used a wooden lock on your house.
    Paying big $$$ will teach many…. but not all

  8. Matt and Aaron: Yes, that would be great. Not sure why auto-update isn’t working on my plugins or WP installs. It may be a simple permissions issue and I haven’t spend much time working the issue.

    Aaron: We put the custom theme in the default directory some time back because we kept having crashes that, upon mySQL reboot, would restore everything to default. It got so aggravating that we finally gave up and must made the custom one default.

    I actually don’t expect software to be perfect but I figure it should continue to do what it is it always did without constant maintenance. I had very bad experiences with the upgrade from some of the very earlier versions (and I’ve used people like Mark Jaquith, Ed Burns, and Aaron to do my work so it’s not like I’ve got amateurs tinkering with my stuff) and am thus leery to upgrade more often than I’ve had to. Which, of course, means my upgrades often aren’t incremental, thus compounding the problem.

  9. I believe that if you still don’t realize how important backup, security patches or the last virus definitions are, you’re living in the past. Some people have to bump their heads into a wall in order to wake up to reality, while others learn from other people’s wisdom.

  10. The misconception about an internet program is imho that one considers it like an immobile thing like a piece of rock in real life. In fact it is rather like a car; one has to care about it constantly or it will quite certainly fall apart. Actually one would have to have experts to look at it, since some of the exploits won’t be perceived easily and can do harm, nevertheless…

  11. I drive myself and those around me nuts doing version/release upgrades when I “should” be spending my time adding new functionality to the 20 odd websites I support. It is not just WordPress itself, but all the plug-ins. And, of course, other software like phpBB.

    Speaking of which, phpBB is a pretty good example of how to do version upgrades properly. It does two things that I wish WordPress did: (1) only replaces files that have changed; and (2) uses comparison technology to identify changes to files, then loads the new file and re-applies the changes you’ve previously made. On the other hand, phpBB is a really lousy example of leaving your users high and dry when they refused to provide any HTML to bbcode conversion despite ending support for HTML in Posts beginning with Version 3.

    I’ve also got to believe that WordPress (and other Open Source software) could come up with a way to “keep a secret”. In other words, isn’t there some way to keep Security Holes in older WordPress releases Top Secret? Yes, I know that users around the world are the ones that discover many of the bugs in WordPress. But I also know that most security holes are understood only fully by the WordPress Development Team, and are generally the result of several different bug reports. Of course, I don’t hang around with Hackers, so I don’t know exactly how they get the information they need to ruin things for the rest of us.

    Happy birthday, Aaron.

  12. looks like mark is charging $50 bucks for his services

    That’s just for getting auto-upgrade working. :-) If someone has had their install compromised, that’s a different story. There are some interesting discussions going on surrounding upgrades, why people are afraid to do them, and how we can put them at ease… I think we’re going to see some really interesting stuff in the coming months.

  13. I don’t like to upgrade WP too often, as long as there are no urget security fixes it’s fine.

    I don’t understand why anyone thinks it takes time to update. I still do manual updates and its a snap. I may wait a day or two before updating so I can upgrade my local test site and test compatibility with plugins but that is it.

    The minor updates are primarily security fixes and minor bugs. People should be upgrading to those quickly. I could see taking a couple of days to test on a local or dev server before a major version update as those are also major code changes.

  14. Excellent points Aaron! WordPress is always on top of their game, and whenever their is a vulnerability or issue, their will swiftly be a fix. I love WordPress and I am thoroughly impressed, this negative publicity is nonsense.

  15. If the auto-update doesn’t work for you (doesn’t on my server even though FTP is wide open), how hard is it to upgrade anyway? Download zip file. FTP zip file.

    Some of the Twitter-stream seemed to characterize this security bug like it was a confirmation that the world is ending in 2012. Meanwhile it seems like a few basic precautions would have helped mitigate the risks in the first place. Even a simple PW protect on wp-admin would help block a lot of attempts to whack a server.

    To quote my UNIX mentor from the early 90s “the only way to make your server 100% from hackers is to turn it off or to pull the Ethernet cable.”

Comments are closed.