General Discussion: Thoughts on Security Vulnerabilities in WordPress

  • prowsej

    (@prowsej)


    17 years, 4 months ago

    I’m wondering if you could provide a suggestion.

    I have wordpress installed on my site. Every couple of months I get an email from my hosting company saying that they have scanned my files and that the version of wordpress that I have is insecure (vulnerable to some sort of attack, the latest was a XSS attack) and that I should upgrade.

    My issue is that I don’t much want to have to upgrade to the latest version of wordpress. What I would like instead would be
    a) giving wordpress the ability to patch itself by downloading and installing updates without my intervention or
    b) a stable version of wordpress that was thoroughly checked for vulnerabilities in the same way that BSD has been.

    I guess I’m just a bit frustrated by the upgrades, so I thought I’d post here to express how I feel. I don’t want to pay for hosting and the wordpress.com free hosted version of the software is too limited for what I want when compared to what hosting yourself can do. But it’s still a hassle!

    Cheers : )

Viewing 4 replies - 1 through 4 (of 4 total)
  • figaro

    (@figaro)

    17 years, 4 months ago

    b) a stable version of wordpress that was thoroughly checked for vulnerabilities in the same way that BSD has been.

    I’m sure WordPress is thoroughly checked for known vulnerabilities, but it’s impossible to know what tomorrow’s vulnerabilities may be. Any opensource software that is secure today, may not be tomorrow…that’s just the nature of the beast. New vulnerabilities pop up all the time, so regular upgrading is a must to stay secure.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    17 years, 4 months ago

    a) giving wordpress the ability to patch itself by downloading and installing updates without my intervention or

    Guns don’t kill people, automated risk mitigation systems do…

    With 2.7 it’s a lot easier to upgrade plugins and wordpress itself but it does require someone to consciously make the decision and pull the trigger.

    BSD’ish solution: If you have many blogs to watch over, consider keeping one copy up to date and creating an rsync (via ssh) job to keep the other installation’s files up to date. That could easily include themes and plugins and would not do anything to the separate blogs databases.

    Len

    (@lenk)

    17 years, 4 months ago

    WordPress is no more insecure than any other dynamic PHP application. As previously mentioned there is no way to tell what tomorrow may bring. It’s a cat and mouse game – bad guys figure out a way to exploit something and good guys fix it. Such is the nature of the beast with not only a dynamic language but an open-source app where everyone and his dog can study the source code.

    With the new core upgrade feature built into 2.7 there is no excuse not to upgrade. (unless you don’t want to for some reason)

    Thread Starter prowsej

    (@prowsej)

    17 years, 4 months ago

    I didn’t know about the new core upgrade feature. Thanks for the heads up. I just watched the sexy “what’s new with 2.7 Coltrane” video and I’m impressed, downright jazzed. I think that the core update functionality will address my peeve.

    Cheers! : )

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘General Discussion: Thoughts on Security Vulnerabilities in WordPress’ is closed to new replies.