WordPress’ Christmas Present: A Security Update!

by Ben Cook on December 29, 2010

WordPress 3.0.4 Released

If you were disappointed by your Christmas presents this year, don’t worry! WordPress has one more gift for you… version 3.0.4 which, naturally, contains a critical security update!

That pair of socks your great-aunt gave you aren’t looking so bad now, are they?

For those of you keeping score at home, that’s 3 security releases in a month, with the latest being the most severe and hitting smack in the middle of the holidays.

Needless to say, this string of events doesn’t inspire much confidence in the platform.

Too Many Cooks or Not Enough?

While I’m admittedly not privy to all the details regarding security efforts, one only need to look at the releases to see there’s a problem. WordPress version’s 2.8 and 2.9 both had several security related releases, and it seems the pattern has continued with 3.0.

I’ve gone on record several times, both on this blog and on Twitter, calling for the WordPress foundation to hire more security experts to help the programmers like Mark Jaquith who already focuses on security.

Unfortunately, the WordPress team doesn’t seem to agree. Andrew Nacin stated that more security experts would result in too many cooks in the kitchen.

@Skitzzo 3.0.2 was released within 4 hours with three of us working on it. I think there's a limit to the # of cooks in the kitchen needed.
Andrew Nacin

And Mark Jaquith pointed out that they already consult with external security experts.

@Skitzzo recent issues were old, and minor. Haven't had a remote exploitable issue in years. And we have many external experts auditing.
Mark Jaquith

Perception is Reality

While many of the security issues addressed by recent releases have been relatively minor, requiring a would-be hacker to already have privileges to a WordPress installation in order to exploit the vulnerability, they still pose multiple problems.

First of all, more and more elaborate and advanced sites are being built on the WordPress platform. As that trend progresses, even these minor security issues will affect more users and provide the potential for even greater damage.

Secondly, and perhaps more importantly, these security issues pose a SERIOUS threat to how the platform is perceived.

if swiss cheese ever needs programmers they should hire wordpress's security team they would fit right in #justsayin
Michael Gray

Most users don’t take the time to understand whether their sites were actually at risk when a security update is released. So, when users see 3 security related releases in less than a month, many begin to question whether their sites are safe on WordPress.

This is essentially the same problem the community faces during all major hacking events. Whether the problem is with WordPress (as it is in the case of these security updates) or with a popular WordPress hosting company (as is usually the case), the platform’s image is what suffers.

Communication is Key

As I said before, I’m certainly not a part of the in-crowd when it comes to knowing the inner workings of the WordPress team. However, I was surprised to hear the team worked with outside experts on the issue of security. When coupled with the fact that many users associate any update with security, a common thread begins to emerge.


It would behoove the folks that work on WordPress to spend a bit more time educating the average user about what steps are taken in regards to their site’s security. Explain what vulnerabilities are when they arise, make it clear when an update DOESN’T contain any security fixes, and maybe even expand the notification area within the WordPress admin panel to provide more information.

Basically, WordPress needs to engage in a full fledged PR campaign on the issue of security. Would hiring more security experts to work exclusively on WordPress.org help make the platform safer? I suspect it couldn’t hurt, but it certainly would be a major step in the right direction when it comes to public perception.

{ 7 comments… read them below or add one }

Previous post:

Next post: