I was reminiscing today on what the world was like when I released my WordPress version check plugin back in 2005.
What a different world it was, upgrading WordPress took time and people just didn’t bother even though new versions which contain security fixes had been released.
Now we are just about to get WordPress 2.8, people can upgrade with the click of a button and there hasn’t needed to be a security release for WordPress 2.7 how things change.
In celebration of this I have decided to take down the web-service which supported the plugin and have started the shutdown process by changing the message returned to point to this blog post. So please un-install the plugin and rely on the notification that has been built in to WordPress for a few releases now.
Oh and don’t forget if your one of those people who has been ignoring these messages and are still running v1.5.2 (yes you know who you are) then please upgrade.
It’s great to see that the habari guys are committed to security as well as functionality and are providing security updates for there pre-1.0 software. It is a pity to see that they don’t disclose much in there security announcements.
For me, responsible open security practises should mean that as well as providing a quick response to security issues you provide enough detail about the issue to your users to allow them to make a judgement call about how important the upgrade is to them. Do they need to do the upgrade immediately because the issue is easy to exploit or can it wait till the weekend when they have more time to ensure they have a backup and a plan for when the upgrade goes wrong.
Read the rest of this entry »
Due to hardware issues this site has seen some unplanned downtime of late. The server that was hosting this site (and providing smtp/imap/dns/ircbot services for ftwr.co.uk) started playing up and would randomly lockup hard. After a few days of trying to resolve these hardware issues I decided that it was time for a two pronged response – build a new server to replace the current one and start to move some of the services off onto a VPS.
I had been planning for a while to get a slicehost vps server to move all the web properties onto so as to have more bandwidth available for visitors – this site was shifting 5G of traffic a month up my adsl connection on it’s own!
Hopefully all of this site should be running fine now I have got apache2/mysql tuned to run in the limited environment of my 256M slice and wp-super-cache up and running.
Please let me know if anything is broken!
WordPress seems to have had the dubious pleasure of been nominated for the 2008 Pwnie Awards in the “Mass 0wnage” category:
It seems like hardly a week goes by without a new vulnerability in WordPress or one of its many plugins. Many of them are actively being exploited to own popular WordPress blogs and use them to serve spam or client-side exploits to unsuspecting visitors. The popularity of WordPress combined with the abysmal security practices of WordPress plugin developers places the entire Internet at risk and is worthy of a nomination.
To be fair many of the vulnerabities that are reported are within plugin code rather than the core. For more information on the CVEs reported for WordPress and WordPress plugins this year you can head over to the codex.