I allow myself to bump this topic with a neighbouring concern : the plugins.
I DO know that eventually, the responsability of one's wordpress security relies on the shoulders of the "technical contact", either the admin, or the professional hired by the admin as long as that professional remains under contract.
We've discussed this before, my attitude might look pushy, my main argument is that there are so many WordPress blogs on the internet that WordPress now gained a "systemic" responsibility, and has to help unaware persons even if they don't give a hell about it and would have prefered to stay with an unhealthy obsolete installation.
OK, so, my additional concern.
I wanted to give a friend the list of the plugins I'm using on my biggest blog, so I parsed their list in my admin, to get their wordpress.org/extend/plugins/plugin-name hyperlinks.
Then I noticed that the links for 2 of my plugins were not working, nothing found.
Searching a bit, I found one of the plugins (Search Light) was open to SQL injections and had been removed until the admin sees to that, while the other, Shortcoder, created the possibility of an XSS exploit, and had been removed until a fix was applied.
I felt crushed to have been oblivious to that problem, those two plugins are active on my own blogs.
To avoid conflict, let's make that variation : I do NOT want to push on wordpress coders the responsability of the plugins maintainers, heck, no.
But, from the "global responsibility" perspective, with the plugins in mind, I want to make these 2 suggestions :
- replace the "nothing found LOL" page (the "lol" was only implicit), shown when we load the URL of a removed wordpress plugin, with a specific page.
That page should at least mention "the plugin has been removed for security reasons, you may beed to investigate the forums, look, click the plugin-name tag automatically-generated-hyperlink".
Ideally, that page should mention a more precise reason for the deletion, like "potential xss exploit, plugin removed on year-month-day, click here for the automatically-generated-tag-hyperlink-to-the-forums"
- this way, now that "plugin removed" pages exist, the wordpress administration software should automatically, not only inform us of plugin updates, but also notify us of plugin removals.
This way, we'd know there's a new update to a working plugin,
but also there's a security issue with another plugin we use.
Come on, this is absurd the way things are NOW.
A plugin we use gets an automated update notification in the admin panel because a security issue has just been fixed : normal !
A plugin we use gets removed because of a SERIOUS reason, we don't get any notification at all : how can that be called normal.
This is pushing more work to the WordPress, I feel sorry about it (and I also feel like a dick, once again, suggesting stuff that I can't do myself), but, otherwise I believe there will remain a flaw in the WordPress ecosystem...