WordPress Security is a Joke (2.9.2 Released)

by Ben Cook on February 16, 2010

WordPress' Security is a Joke

WordPress 2.9.2 was released yesterday and in following the recent trend, it contained a security patch.

It would seem that the idiot-proofing “feature” of sending posts to the trash instead of deleting them permanently allows logged in users to see the posts.

You can read all the details over on Thomas Mackenzie’s blog but basically if you have any sensitive data in a post that you trashed or perhaps said something unflattering, you need to upgrade immediately as any registered user of your blog can view it no matter what permissions they might have.


Now, before I start in on my brief bit of commentary on this issue, please let me make something clear. I appreciate all the time and effort any and all WP devs contribute. WordPress is a platform driven by the good will of many smart coders.

WordPress Doesn’t Take Security Seriously – FACT

That being said, it has become painfully obvious that WordPress is completely inept when it comes to security. There have been countless vulnerabilities discovered of varying degrees of seriousness. This lapse probably won’t impact a ton of users negatively but it does continue the disturbing trend of WP vulnerability.

Yes, WordPress has made the upgrade process a hell of a lot faster & yes, they’ve implemented an alert system that lets users know when their installations are out of date. But instead of coming up with new and creative ways to help users stay upgraded, how about spending a healthy amount of time on security issues before each release?

WordPress 2.9 has been downloaded over 4 million times and with that many blogs depending on your platform, you’d better have a better security plan than throw it out there & patch as things are found.

How about oh, I don’t know, hiring a security expert to pound on features before they’re released? How about recruiting some of the most devious minds in PHP to try and break things when Beta testing?

If there aren’t funds currently available for this (although there’s no way for anyone other than Matt Mullenwege to know that) there are plenty of ways to raise money for the purpose of increasing security.

There are currently affiliate links for different web hosts and in the past it has been suggested that those funds go to keeping the server running. Why not toss a few more affiliate links (perhaps on the Premium Theme page) to pay for a security expert? If you don’t like that method, just put a paypal link up and ask for donations.

The point is that if WordPress were REALLY serious about security issues, there are PLENTY of ways to go about address the glaring problem. Instead, we’re treated to a round of “we’re donating our time, not enough people participate in beta testing” excuses.

Until that changes WordPress’ security will remain the joke that it is.

Image Source: Robert S. Donovan

{ 6 comments… read them below or add one }

WPSecurityLock February 16, 2010 at 6:08 pm

Ben, it sounds like you are extremely frustrated that WordPress has yet another security release. And I appreciate how you feel. However, I disagree that WordPress doesn’t take security seriously. WP is kind enough to provide us the publishing platform for free, a place to report bugs, and gives security releases when known issues arise.

I do agree with you that it would be great if more money could go into WordPress development. But there is no way to make any platform perfect and no matter which one we choose, there is always a need for updates.

Ben Cook February 16, 2010 at 6:15 pm

Lol well considering the fact that your business is built on securing WordPress I can understand why you make take that position.

However, WordPress is not “kind” for making the platform open source. It was built on the remains of another open source platform which if I recall correctly requires it to be open source.

There will never be a perfect system, you’re right. However, the recent rash of security patches due to people just not coding new features properly illustrates where the priorities are. They spend a lot of time giving us new features (which everyone loves, because hey, who doesn’t like new stuff?) but they don’t devote the required resources to catch mistakes like this.

If there’s money there (few if any other than Matt knows) dedicate it to a security expert. If not, raise some funds for one to at least show that they’re serious about it.

The developers that are working on the core are donating their time already, does WordPress leadership really expect them to be able to handle security competently as well?

Greg February 16, 2010 at 8:41 pm

How much do you want to bet that this bug never made it into the wordpress.com code?

“WP is kind enough to provide us the publishing platform for free, a place to report bugs, and gives security releases when known issues arise.”

Please. Automattic plays the role of open source defender because it strengthens their position in the marketplace by making sure any potential competitor is working only with the mediocre “free code”. If they were really about doing the right thing, they would release all the custom code they’ve developed. But they don’t. Instead, they just bully anyone who might try to truly make things better by making sure they have some type of real revenue stream to fund their development.

Jason L February 17, 2010 at 6:11 pm

I think this commentary is a bit unfair. I appreciate and respect the fact that you’re focusing attention on WP security, and it’s certainly useful to suggest strategies for improving overall security (I like your affiliate link idea quite a bit, and frankly overt yet limited advertising on Wordpress.org and .com is long overdue).

However, regardless of anyone’s feelings or problems, complaining about the quality of a FREE system is the definition of foolish and ungrateful behavior. I would have liked to have seen a post written in a more positive manner. I think this type of commentary is destructive – when some people in the WP Dev community read this type of post, I would imagine they find it very discouraging. That’s a bad thing.

Ben Cook February 17, 2010 at 6:39 pm

Jason, you’re going to make me whip out my rant post on FREE being a license to suck… 🙂

In any case, Matt recently admitted that a problem the community has is rejecting good arguments made in a poor manner. I would guess he’d classify this as just such an argument but I don’t know what else to call it when you have release after release for security reasons.

And to top it off, it’s not because new exploits have been found, it’s because people haven’t closed the doors behind them so to speak.

Again, I want to emphasize that I don’t blame the WP Dev community as most of them are donating their time and aren’t making a living off Wordpress. There’s only so much a community like that can do. That’s why I’d like to see someone who’s full time job is dedicated to securing the platform.

And, again, WordPress is required to be open source based on the licensing it inherited from its predecessor. Sure Automattic could charge for it but there would be forks of each release and it would be fairly pointless.

So while I appreciate the WP dev community’s time & I don’t downplay the fact that Matt’s hard work got us to this point, please let’s drop the argument that he or Automattic are some sort of charity workers only helping us out of the kindness of their heart. They’ve got a million dollar business riding on WordPress.

Anyone making the argument that people shouldn’t try to make money off open source platforms should keep that in mind as well.

Anyway, thanks for your comment Jason and I’m sure many would agree with you that my style of blogging isn’t as helpful as it could be, but I get pissed off when such obvious solutions are available but none are taken.

Steven Kohlmeyer February 26, 2010 at 1:30 pm

So who’s going to put the time into Wordpress security if they dont? What system will be?

Previous post:

Next post: