Techcrunch Says WordPress a Massive Security Risk
(The link to the article is lower in this post, to ensure the proper text appears in the Techcrunch trackback…)
Techcrunch yesterday featured an article by Nik Cubrilovic with the salacious title “WordPress Security Issues Lead To Mass Hacking. Is Your Blog Next?” – from that article:
Due to its popularity as a blogging platform, WordPress has become a prime target for hackers looking to take over blogs for search-engine optimization (SEO) of other sites they control, traffic-redirection and other purposes. Recently there have been a spate of automated attacks which take advantage of recently discovered security vulnerabilities in WordPress.
To date, WordPress has been keeping up with the security holes by releasing updates within a few days of new exploits being found, but in the past few days new exploits have appeared that nobody seems to have answers for.
Okay, that kind of talk gets my interest. Funny thing, when I was talking with the Automattic guys (who develop WordPress) yesterday, no mention was made of any new security vulnerabilities. So I had a look at the stuff he cites as “the past couple days” and the issues are all over a year old, and affect out of date versions of the software, and are remedied in current releases.
So we have a situation in which one of two things is happening:
- This is a “hit job” on Automattic by Techcrunch for reason or reasons unknown – if so, shame on you…
- Or…there are vulnerabilities which Techcrunch did not identify so as to allow WordPress to come up with a fix. If this is the case, I applaud their handling of the issue.
3 thoughts on “Techcrunch Says WordPress a Massive Security Risk”
Not all the issues are over a year old, but as I discovered, all the blogs he cites as attacked had been running outdated versions of WordPress for a while.
In my own experience Automattic is extremely quick in fixing security holes. For instance they jumped from 2.5 to 2.5.1 in less than a month due to the security risks they found…
I’m going to say at this point the article was a scurrilous attack on Automattic – seeing as the author did not respond to direct article comments asking for clarification.
I ran a Developer Brown Bag on WordPress Security with my team today and we went over many of the most recent security issues. Very interesting stuff – and most of the attacks would require either someone to release a package script (for the script kiddies) or a very serious knowledge of coding.
The bottom line:
1. Stay up to date
2. Use only plugins in general release and keep them up to date.
3. Htaccess protect wp-admin
4. Use as few plugins as possible (Do you hear me, DC!)
5. Back up and always assume you could lose the stuff on the webserver at any point.
6. If you use other software, or code yourself, be sure every single form field is protected properly against SQL Injection Attacks.