Pay No Attention to the WordPress Hacking Threats; Look at the Shiny rssCloud!

What’s great about WP is that the developer community works to create this great product and integrate new features. But I agree with Michael Gray that some of the basics like contact forms and sitemaps should really be a no-brainer at this point without having to use plugins.

But even if you have no plugin required contact forms and sitemaps, without stable code and security covered — it is all for naught. Whenever anything gains steam or visibility online, like WP has in the last several years, you have a target on your back. And, the hackers will work extra doubly hard to crack you simply because of that visibility. Part of the territory … territory I am sure Matt is well aware of.

The bottom line is that no matter what type of software or application you are talking about you have to update when updates come out or you risk the consequences of not doing so — including your MSIE browser!
.-= Judith´s last blog ..Social Media Friends: Are they really friends? =-.

In case you didn’t notice, the secure version of WordPress that was NOT affected by the worm (2.8.4) was released weeks ago. And anytime there’s a newer version than the one you’re running, a nag will appear in the Dashboard, letting you know that you should upgrade. And they mentioned some time ago (long before this recent worm came about) that they are having a professional security audit done on the WP codebase.

Also, when a plugin “breaks” due to a WordPress update, 9 times out of 10 it’s because the plugin author neglected to use the API correctly, and was doing something to muck with the WP internals in some odd fashion. This kind of breakage rarely happens on point-releases, which typically only contain bug and security fixes.

That said, was the RSSCloud announcement a bit of feel-good hand-waving? I don’t know. It might be. But I have the notion that it might tie into something that is still coming down the pipe that we don’t know about yet. For instance, I wonder if it could be related to Automattic’s recent purchase of blo.gs from Yahoo…
.-= Dougal Campbell´s last blog ..Most Useless iPhone 3.0 Feature =-.

We’ve met before, so I’m surprised you would malign my intentions like this.

Security is always worked on before any features, which is why we have an excellent reputation in the security community for responding to reports quickly, responsibly, and transparently, often turning around an update within 24 hours including a full QA cycle.

The answer to this is not bloating the core code with functionality like contact forms creating more code that needs to be audited and more vectors for attack, it’s focusing more on the core platform aspects that allow people to easily install and keep up to date with as many modules as they like. You can install a contact form plugin (or any plugin) in one-click on WP 2.7 and above. (RSS Cloud is a plugin, too.)

Our biggest challenge now is created by our success — now that there are thousands of plugins, themes, and we’ve made WP accessible to millions of people who are not systems-savvy, how do we make it easy for them to administrate their blog in a responsible manner while still having the ease-of-use and functionality they starting using WordPress for. This has not been done before, we’re blazing new territory, and there will be some bumps along the way, but it’s the primary focus of me and the WP community to solve this problem, as one-click installs of core, plugins, update notifications, plugin updates, theme installs, and core upgrades show.

We’re also capable of working on multiple things at once — later today we’re going to announce an acquisition but that doesn’t mean that the folks working on core WP are distracted or even involved.
.-= Matt´s last blog ..RSS Cloud =-.

Let’s list those plugins that always break and work with the developers to make them forward-compatible. Let’s sponsor development for them to be up to date. This is the beauty of Open Source, there’s no problem we can’t fix as a community.
.-= Matt´s last blog ..RSS Cloud =-.

We definitely do a lot of preventative security measures which are noted in release notes on every upgrade but most people don’t notice because it’s not sexy and even if you prevented 20 possible problems people just hear about the 1 that got through. However if you read through every major release since 2.3 there have been major proactive security measures in everything from user model, nonces, cookie encryption, password hashing, and more.
.-= Matt´s last blog ..Automattic Aquires AtD =-.

Matt,
I realize time is spent on security & preventative measures and that you’ll never prevent every new hack or exploit. But as evidenced by the recent 2.8.3 release, it’s obviously not enough.

Don’t get me wrong, like probably everyone commenting on this post, I love WordPress and will continue to use it. However, a release where basically the developers say “Sorry I missed a few spots” completely defeats any argument that you’re doing enough when it comes to security.

Also, the things that have been hitting us recently aren’t brand new to the online world. It’s not like they’ve been exploits of brand new features etc, they’ve just hadn’t been applied to WordPress before now.

I realize you probably feel like we’re all attacking your baby and your mother hen instincts are kicking in, but arguing with anyone that has any type of criticism isn’t going to help WordPress. If nothing else, take the info you’ve received from this and other threads, and realize that WordPress has a perception problem & figure out ways to combat that instead of being defensive.
.-= Ben Cook´s last blog ..Hidden Administrator Attack Hitting Outdated WordPress Sites =-.

Frederick – you’re missing the point. The criticism here is that WordPress developers are spending too much time working on things like RSScloud when there have been so many security issues lately.

Whether any one in this thread spends their time contributing to the code base of WordPress doesn’t change the facts that are being discussed.

Do I appreciate WordPress and the developers that work on it? Absolutely. But it’s not like Automattic is a charity either. So I’m sorry, but I don’t buy the argument that something being free makes it beyond reproach or somehow wrong to criticize.
.-= Ben Cook´s last blog ..Hidden Administrator Attack Hitting Outdated WordPress Sites =-.

@frederick I can tell you that 5 years ago when I was in the position of being the main support for an ecommerce and gift registry software package, we had to deal with XSS and malformed URL’s so this isn’t some new issue. We took the time fixed the problem and where done with it, because security is a mission critical function. So these types of problems aren’t new, they are just new to wordpress.

things like ajax dashboards and rssclouds should always be lower down the priority scale. if wordpress needs to call all hands on deck and pull people off of other projects to fix security issues thats what needs to be done
.-= graywolf´s last blog ..How I Got Lost Using Google Maps and the iPhone =-.

Dougal (dougal@gunters.org), who posted above, has also posted his thoughts to the WordPress developer’s list. I think the evident arrogance in his post is part of the problem:

In the aftermath of the recent WP worm, there has been the usual raft of FUD flying about. I won’t bother pointing out any particular sources — suffice to say that some of the recent posts about “WordPress Security” were reasonable, and many were not. It seems like every time there is some sort of security issue related to WordPress, regardless of the scope, it becomes a PR nightmare of sorts. Primarily, I think that it goes hand-in-hand with the popularity of WordPress: we are popular, therefore we are a high-profile target, and therefore when something goes wrong, it affects a lot of users, and therefore it gets a lot of attention. It’s the nature of celebrity.

The nature of celebrity? Celebrities have not been entrusted with control of their fan’s livelihoods. Celebrities don’ t promise anything more than entertainment. WordPress, through its claims, has earned itself popularity, but more so, trust. To scoff at the concern of users who bought the hype about how easy WordPress is, and how easy it is to use plugins, and how easy it is to download those plugins directly from WordPress’ own distribution network, shows an incredible arrogance on the part of Dougla Campbell.

For those who don’t recognize it, “FUD” is “fear uncertainty and doubt” and FUD is generally considered fear mongering with inaccurate information, usually as part of a competing agenda. Did I mention the arrogance?

As has been pointed out time and time again, WordPress is easier than ever to keep updated. When a new version is released, a nag appears in the Dashboard. From there, it’s just a couple of clicks to upgrade. And yet, people *still* lag behind. The reasons are varied, and _mostly_ invalid (depending on your perspective). Some of it is simply “fear of breaking something”. Some of it is just simple stubbornness (“I just upgraded, I don’t want to do it again so soon!”). Some of it might be ignorance and laziness (they see the nag, but don’t look at the WordPress News blocks in the Dashboard, or go to the main site to read about it).

Dougal conveniently neglected to mention the other reasons people don’t just upgrade. Like because a previous time they did “just upgrade”, they were nailed with problems that were not fixed until several days later when another release came out, to fix the broken release that had broken their website. Of course they tried desperately to make that first (broken) release work, because they didn’t actually know it had errors until the new new update came out. (the WordPress developer community seems to be fond of keeping the public in the dark until they are ready to not announce a fix to a broken update, but another update). Like Dougal here, they seem to have no clue about how their own constituents use their software, even though many are using it just the way they have been told to use it.

For working people responsible for websites, that few days of hell between one “bad” update and the next “good” one could at best cause turmoil in the workplace, and at worst, completely corrupt an install.

Or how about the FACT that WordPress has evolved over time, and many custom themes are not 100% compliant with the *latest* WordPress API standards? Ever try to get budget approval for a theme rewrite that will look almost the same, but include code changes in line with the new API features?

There are many other of very valid, legitimate reasons why people don’t want to “just upgrade because we told you to upgrade”.

The bottom line is.. WordPress is NOT easy, it is NOT robust and reliable because of the great community of developers behind it, and it is NOT something to just trust if you are not a programmer. Unless you have a throw-away blog you can just rebuild off a new install whenever necessary, or are a PHP developer capable of wading through the code and developer list discussions… then it is probably awesome.

Unless I am incorrect. I might be; I am just going by my own experiences using WordPress for several years, and monitoring the dev list and SVN. Your mileage may vary.
.-= john andrews´s last blog ..Google Owns Your Internets =-.

i cant figure out how to manage this kind of worm, are we realy secure in these world wide??? i dont think so
.-= @hmad´s last blog ..Intel Core i5 750 Processor Review =-.

Andy,
To be fair, that’s not the same as saying that the plugin WON’T work with the newest version, it just hasn’t been fully tested with the newest version.

A lot of plugins that haven’t been tested still work. It’s obviously not ideal, but I usually just install them and test them myself.
.-= Ben Cook´s last blog ..Hidden Administrator Attack Hitting Outdated WordPress Sites =-.

@John: I’m not sure why you feel like I was being arrogant in my posting to the wp-hackers mailing list — it certainly wasn’t my intention. And I think that the word “celebrity” is perfectly applicable to WordPress as a product and how it is perceived by much of the user community. I could have just said “popularity”, and the meaning and intent would have been pretty much the same. But I think that “celebrity” has some extra connotations that apply to any product as popular as WordPress is. I think many would agree that many brands have “celebrity” on their own, separate from the actual people associated with them (Starbucks, Nike, McDonald’s, Coca Cola, etc, just to name a few super-star celebrity brands).

But, I still don’t understand your argument. You seem to feel that the WordPress core devs are not paying attention to security. But the fact is that the bug being exploited by this worm was fixed TWO releases and over A MONTH ago. Yes, it’s unfortunate that there was a security problem in the first place. But if you’ve programmed a complex web application like WordPress (or any other fairly large web app), then you know that there are all kinds of code interactions that can be very hard to keep track of.

Sometimes you write some code and you think you’ve covered all the bases and cleaned up all your input. But you forget that your function might be called in some other context with input that you *didn’t* control. Or you’re doing complex things with regular expressions and you just didn’t anticipate some really weird off-balance input coming in which causes it to match in a way that you didn’t intend. And dozens of developers can look over a piece of code and say, “yup, that looks right to me.” But they just didn’t foresee that *one* strange case that causes it to fail. It happens because we’re all human.

In the last couple of releases, there have been several new escaping functions added to the system which are specifically for the purpose of making it easier for plugin and theme developers to generate safer code. This kind of proactive security development is just one example that shows that they *do* take security seriously. It’s nothing flashy, it’s all under-the-hood, system-guts, boring kind of stuff, so most people don’t notice it — just the watchful developers who need to know about those things.

I did not “conveniently neglect” to mention any other reasons that people don’t upgrade. I only provided a *few* examples of excuses that *some* people have used that I’ve read with my own eyes. And this was to illustrate the point that for whatever reason, the WordPress community and developers should do what we can to help these people feel “safer” about upgrading than they apparently do at this time.

And yes, there *has* been some FUD around this issue (in the sense of disinformation). The comments of a certain celebrity tech blogger come to mind. He certainly spread some fear and doubt when he publicly questioned whether he could trust WordPress. But then he admitted that he had not been diligent about upgrading his system, and did not maintain backups.

I am not unsympathetic to your concerns about updates being incompatible with older plugins and themes as the core evolves. I have stated in the past that I wish that when a new feature release was released, that bugfix and security changes would continue on the previous version branch for at least one more normal release cycle (in other words, maintain a stable 2.8 branch after the release of 2.9, and until the release of 3.0, etc.). This would at least give a few months of overlap time for plugin and theme developers to work out any incompatibility issues in a “supported” fashion, without feeling they had to immediately “pull the trigger” for a new version of their code as soon as a new version of WP came out. And it would give running sites a safe window to manage migrations if they find that they are running a plugin that has problems running in a new version of the core.

In any case, the point of the discussion I started was that if people are afraid to upgrade, we need to examine the *reasons* for that fear and begin fixing the processes that create that fear. Where there is FUD, educate. Where there are real problems, correct them. Where there is opportunity to improve, allocate resources to do so.
.-= Dougal Campbell´s last blog ..Most Useless iPhone 3.0 Feature =-.

@John

Thanks for clarifying. Part of the problem is the double-edged sword of third-party code. The availability of so many great third-party plugins and themes is one of the key features that makes WordPress such a great platform, for both developers and end-users. But we can’t expect the core devs to take the blame every time some non-core code blows up (maybe every once in a while).

I know that changes in core can happen that “break” plugin, it’s happened to me. I’ll give you my example: First of all, note that when I was a core developer myself, I created the “Post Custom Fields” (AKA “post meta”) feature. And the first WordPress plugin I wrote was HeadMeta, which takes advantage of this feature. But even though I wrote both the underlying API code and a plugin based on it, my plugin “broke” one day. Because in my plugin, I bypassed the API and directly accessed data from the $post data structure[1]. *I* didn’t see it break on *my* site, but others did (because I wasn’t triggering the serialization change that happened in core, and they were). Of course, I eventually got enough info from users of my plugin to figure out what was happening, and released an update to my plugin.

The point is, changes *will* occur in core. It must evolve and improve and grow new features.

But did the core devs have any responsibility to avoid changes that would break my plugin? No way. First of all, it’s not their code that broke. Second of all, it was my own fault for bypassing the API (that *I* wrote!) and not noticing sooner that changes occurred in those functions and data structures. Third of all, the changes they made were an improvement that currently benefit many developers.

Is it hard to keep up with the changes that happen in each new version of WordPress? YES! Is the answer that plugin/theme authors should try harder to keep up? YES! And no! I mean, yes, plugin authors *should* try to keep up. But on the other hand, the core team could make it easier.

With every new release, many new functions, classes, and other helpers are added to core. And occassionally, existing functions change or become deprecated. But (as far as I know), there’s no official quick-reference to those changes. You have to pore over tons and tons of changes in Trac, or look at the source, or keep a close eye on some of the xref tools. What would be great is if each release was accompanied by some developer notes detailing “new”, “changed”, “deprecated”, and “removed” status for functions and classes (and to key global variables).

This information should probably become available at “beta” (or maybe even “alpha”) testing stage, updated at RC stage, and cemented at release. And it should be documented well in the Codex, referenced on the wp-testers mailing list, and any place else that might make sense (it might even merit an announce-only mailing list of its own). I think this would go a long way towards helping the wide-spread WP development community stay up-to-date, and help avoid “plugin breakage” problems.

[1] *Technically* the breakage wasn’t really because I bypassed the API, but because they changed what kinds of values the API could return. My code always assumed that it would get a plain string. Change in the API meant that it could possibly return an array. But still, I should have been validating…
.-= Dougal Campbell´s last blog ..Most Useless iPhone 3.0 Feature =-.

That is good news, especially since I’m starting my word press blog soon
.-= Takuno Owoda´s last blog ..How to Earn Money Online Fast? =-.

While I love WordPress, I strongly against the updates that I am forced to make every now and then because of security reasons. Just yesterday, I upgraded WordPress.com Stats plugin. Obviously, it did not work the way it should be (no stats in the dashboard because of a missing code). Today, I received another update mentioning the reason (missing code). This is just an example. Remember that we already received 4 updates (all security related) for the version 2.8. Why can’t they concentrate on something so secure from ground-up?
.-= Pothi´s last blog ..Minimum Wage coming up in oDesk =-.