There’s a giant pink elephant in the WordPress forum that nobody seems to be talking about and it’s been staring at my peanuts for the past few weeks, so let’s take a moment to ask ourselves how safe the platform really is.

WordPress, for those who don’t know is a blogging platform turned website manager which makes it fantastically easy to build, deploy and manage websites. It’s the best platform on the market for doing this, and it’s free. That’s a pretty powerful endorsement right? Well, it’s true … except … it the past few months the people who run WordPress and are responsible for it have been getting sloppy. Let’s take a look at some of the recent security holes.

Security Holes

The 2.8.4 release this weekend was due to a newly discovered hole in WordPress. In fact, the whole (which seems to have appeared in 2.8) was so big, it allows anybody with even a basic understanding of web technology to reset your admin password whenever they want. When 2.8.3 was released on the 3rd of August, it was to fix security flaws overlooked in the 2.8.2 release from July 20th. In fact, every release since 2.8 has been to fix major security flaws in the core WordPress application. Here’s how WordPress describes their 2.8.1 upgrade:

WordPress 2.8.1 fixes many bugs and tightens security for plugin administration pages. Core Security Technologies notified us that admin pages added by certain plugins could be viewed by unprivileged users, resulting in information being leaked [emphasis added]. Not all plugins are vulnerable to this problem, but we advise upgrading to 2.8.1 to be safe.

If you think I’m being tough on the people at WordPress, take a moment and read the release reports on WordPress.org, it shows nearly three months of security blunders by the world’s most popular package and if you think that you’re immune, think again. In March, Ashley Morgan who runs Upstart Blogger was the victim of a cyber attack, in June my website was hacked and trashed by somebody promoting links to flu vaccines and earlier that month we suffered hacks on both Tinker Priest Media and my partner’s website BavotaSan.

Ashley’s advice is strong, make sure you update your backups daily and always download the latest security updates from WordPress, especially when they’re released on weekends. Take my friend Chris’s advice and remove reference to your WordPress version, install some basic security on your WordPress blog and always remember that there are people out there who want to hack your site.