To my chagrin, my blog is telling me that it’s time to upgrade again.

A new version of WordPress is available! Please update now.

It’s an urgent security release because if you allow registration on your WordPress blog, users can edit other users’ drafts. WordPress development also mentions the vulnerability in the WP-Forum plugin that I mentioned recently. This is the first time that I’ve seen WordPress themselves mention a plugin security problem. It must be really serious.

Can we discuss WordPress’ security for a sec?

I know that WP fans say that the reason there are so many security breaches is because WordPress is so popular and widespread, more people try to hack it.

WordPress detractors say that there is no excuse: WP gets hacked too much, has too much spam, and too many security problems.

So which is it? Let’s take a look at what a pretty objective group of people have to say about WordPress security: is a great blog that reports on social networking and web blog security. A large percentage of their posts are dedicated to WordPress issues. This could be because WordPress is so popular so they’ve decided to dedicate most of their energies to covering it, or it could be because WordPress has more security issues to report about.

It seems to be the latter, and addressed the general issue of WordPress security recently:

We have seen alot of critical vulnerabilities being discovered in WordPress core and its plugins of late, who’s to blame?…

One of the major problems I see with WordPress is that it provides little (if any) protection against input validation attacks. So where does the problem lie?

One of the main problem lies in the way WordPress sanitises user input….

If WordPress is going to get serious about security, we need to come up with hardcore secure functions, that the WordPress core, and its plugin developers can use. These functions should take the security considerations out of the plugin developers hands and secured from within the WordPress core!…

This is one area, where I think blogging platforms like Drupal do a far better job! (my bold)

So is WordPress insecure by design? The answer seems to be yes!

Ramifications? I don’t know. I’m not jumping ship any time soon because no other blogging or CMS platform offers what WP does: flexibility, ease of use, extensibility, and great community support.

I’m no software developer, but I would say that it’s probably in Automattic’s interest to concentrate all their efforts in tightening up security issues now, and only once that’s done to add any new features they planned on implementing in the next release.


Here are some other plugin vulnerabilities that were recently discovered, in case you missed them:

WordPress WassUp Plugin “to_date” SQL Injection Vulnerability

WordPress AdServe Plugin “id” SQL Injection

WordPress WP-Footnotes Plugin “admin_panel.php” Cross-Site Scripting

dmsguestbook, st_newsletter, Wordspew, wp-footnotes vulnerabilities

wp-calc & wp adserv plugin vulnerabilities