WordPress’ Christmas Present: A Security Update!

by Ben Cook on December 29, 2010

WordPress 3.0.4 Released

If you were disappointed by your Christmas presents this year, don’t worry! WordPress has one more gift for you… version 3.0.4 which, naturally, contains a critical security update!

That pair of socks your great-aunt gave you aren’t looking so bad now, are they?

For those of you keeping score at home, that’s 3 security releases in a month, with the latest being the most severe and hitting smack in the middle of the holidays.

Needless to say, this string of events doesn’t inspire much confidence in the platform.

Too Many Cooks or Not Enough?

While I’m admittedly not privy to all the details regarding security efforts, one only need to look at the releases to see there’s a problem. WordPress version’s 2.8 and 2.9 both had several security related releases, and it seems the pattern has continued with 3.0.

I’ve gone on record several times, both on this blog and on Twitter, calling for the WordPress foundation to hire more security experts to help the programmers like Mark Jaquith who already focuses on security.

Unfortunately, the WordPress team doesn’t seem to agree. Andrew Nacin stated that more security experts would result in too many cooks in the kitchen.

@Skitzzo 3.0.2 was released within 4 hours with three of us working on it. I think there's a limit to the # of cooks in the kitchen needed.
@nacin
Andrew Nacin

And Mark Jaquith pointed out that they already consult with external security experts.

@Skitzzo recent issues were old, and minor. Haven't had a remote exploitable issue in years. And we have many external experts auditing.
@markjaquith
Mark Jaquith

Perception is Reality

While many of the security issues addressed by recent releases have been relatively minor, requiring a would-be hacker to already have privileges to a WordPress installation in order to exploit the vulnerability, they still pose multiple problems.

First of all, more and more elaborate and advanced sites are being built on the WordPress platform. As that trend progresses, even these minor security issues will affect more users and provide the potential for even greater damage.

Secondly, and perhaps more importantly, these security issues pose a SERIOUS threat to how the platform is perceived.

if swiss cheese ever needs programmers they should hire wordpress's security team they would fit right in #justsayin
@graywolf
Michael Gray

Most users don’t take the time to understand whether their sites were actually at risk when a security update is released. So, when users see 3 security related releases in less than a month, many begin to question whether their sites are safe on WordPress.

This is essentially the same problem the community faces during all major hacking events. Whether the problem is with WordPress (as it is in the case of these security updates) or with a popular WordPress hosting company (as is usually the case), the platform’s image is what suffers.

Communication is Key

As I said before, I’m certainly not a part of the in-crowd when it comes to knowing the inner workings of the WordPress team. However, I was surprised to hear the team worked with outside experts on the issue of security. When coupled with the fact that many users associate any update with security, a common thread begins to emerge.

Communication.

It would behoove the folks that work on WordPress to spend a bit more time educating the average user about what steps are taken in regards to their site’s security. Explain what vulnerabilities are when they arise, make it clear when an update DOESN’T contain any security fixes, and maybe even expand the notification area within the WordPress admin panel to provide more information.

Basically, WordPress needs to engage in a full fledged PR campaign on the issue of security. Would hiring more security experts to work exclusively on WordPress.org help make the platform safer? I suspect it couldn’t hurt, but it certainly would be a major step in the right direction when it comes to public perception.

{ 7 comments… read them below or add one }

Chris Johnson December 29, 2010 at 8:44 pm

When they decided to assert themselves over the GPL issue, I had clients asking me if they wanted to be on WordPress at all, asking what the fuss was about.

It wasn’t that there was a GPL issue, it was the way that it was communicated.

Ben Cook December 29, 2010 at 9:07 pm

Chris, I’ve had clients asking me about security because every time they see the update bar in the admin panel, they assume it’s security related. Lately, I’ve not been able to tell them I’m wrong.

Most of the security related issues lately have been pretty minor & probably don’t impact most sites, but the average (or perhaps slightly below average) user doesn’t know enough to know the difference between those minor ones & more serious issues like this one.

Bottom line, I think better communication is DEFINITELY needed.

Andrew Nacin December 30, 2010 at 9:55 am

Hi Ben,

We have some highly talented and very qualified individuals that investigate and fix security vulnerabilities that are reported – it was for this that I suggested manpower was not an issue (it isn’t). But even then, for specific vulnerabilities we’ve confirmed, we’ll reach out to security researchers as necessary. (We did for 3.0.4.)

What we need is greater input from security researchers on discovering unknown vulnerabilities, something we’ve been working toward. If that’s along the lines of a contract or audit, then that may work from time to time, but ultimately, it comes down to needing to engage the greater security community. Hiring a warm body or two isn’t going to help when at this scale security needs to be crowdsourced.

The entire core team is meeting for about a week in January. I am sure security will be on the agenda. Your concerns are heard. It’s not that I disagree, I really don’t: We both recognize we need more input on security issues, just as any software project does. I’m just suggesting that outside input is going to be far more effective.

And of course, there’s that perception issue. I’m sure we’ll be discussing that too. In terms of communication, I’d consider the call for help in the 3.0.4 announcement post to be a start.

Nacin

DWcourse December 30, 2010 at 1:59 pm

@Andrew, you might want to consider how scary a line like this sounds to the average user when it appears in the official announcement of an update:

“If you are a security researcher, we’d appreciate you taking a look over this changeset as well to review our update. We’ve given it a lot of thought and review but since this is so core we want as many brains on it as possible.”

I understand the intent is good but to some folks that sounds like. “If there are any problems let us know.”

Andrew Nacin December 30, 2010 at 2:33 pm

Jim, I’ll be honest, I don’t think that line sounds scary to the average user, rather reassurance. I could be totally off base, of course, but I think it says we care very seriously about security.

DWcourse December 30, 2010 at 3:11 pm

Andrew, I know you guys care about security. You wouldn’t release these patches if you didn’t. But I found the line disturbing. It’s kind of like Toyota coming out with a new car and saying in the owner’s manual, “If you know anything about brakes…”

Dean Saliba December 31, 2010 at 2:20 am

I’m glad I’m not the only person that his worried about this.

Don’t get me wrong, I’m very happy using their blogging platform but they could surely hire some extra help because we have had 4 security updates in the past month. So it took until last month to spot them.

Leave a Comment

{ 1 trackback }

Previous post:

Next post: