Updates are easy. They should be easier. Check out our proposal at the end of this post.
This week at Black Hat conference in Las Vegas, security company Qualys presented and released BlindElephant, a utility that scans web sites for insecure web applications. Their research identified that 70 percent of sites running Drupal are affected by critical vulnerabilities, and that the statistics only get worse for Joomla (92%), MediaWiki (95%), phpBB (100%). 1
I received a press release about BlindElephant earlier this week. At the time, I didn’t think much of it. It surely would have gotten my attention, however, had it included their WordPress statistic — 4 percent. (What did catch my attention was this IDG article.)
The application, the source for which Qualys released, isn’t about identifying critical vulnerabilities; it’s about identifying the versions of software that websites run. They made their own determinations which versions had “critical vulnerabilities.” 2 Check out their slides and white paper, both packed with great information and statistics.
For WordPress, they cited version 2.5.1 as the earliest release outside the critical barrier, which fixed an important security flaw in our secret key implementation.
In case you didn’t already know, that 2.5.1 is not secure. We’ve made countless incremental improvements to the security of WordPress in the four major versions and many maintenance and security releases over last two years.
Alas, WordPress has a security perception issue. It’s widely used and widely targeted. Plugins have extended it every which way. Of course, “My WordPress was hacked!!!!111″ doesn’t mean that WP is the attack vector. It very rarely is.
But at the same time, WordPress is easy to use and easy to upgrade. Among major open source web applications, it quite possibly leads in both categories, and its developers and contributors have worked hard to make it that way.
That brings me back to BlindElephant. Their white paper says they checked more than 25,000 WordPress installs and found the vast majority of them to be running WordPress 2.9 or higher. Qualys cited the “application’s easy, reliable updating design” as why we have such a clear advantage. I’m down with that.
WordPress 3.0.1 and beyond
This post’s title comes from the 3.0.1 haiku. If you’re not running 3.0.1, please update. It’s easy, usually always painless, and will provide you (and me) peace of mind. But we do have goals to make it even easier. With that, I leave you with one such proposal, from Daryl Koopersmith (@darylkoop) and me: If you fall behind on your updates, we’re thinking a modal dialog box with a twist. What do you think? 3
Notes:
- The Drupal number may be slightly high, as this comment points out, as Drupal 5.22 may have been incorrectly classified as critical. (Their slides were not kind on Drupal, so I am unsure of the intention.) ↩
- WordPress and Drupal in particular received additional attention of the researchers, as a few dozen popular plugins and modules were also inspected. ↩
- Please know we’re not being serious. We do have plans, but this isn’t it. Well, probably. ↩
I’d like to see a future release of WP come with an auto-update option (that is activated by default). A new release comes out, WP automatically updates itself. The only downside is if an update breaks something but that’s why backups are mandatory!
I’m strongly against that. How is the average user supposed to back up their blog before upgrading if it upgrades itself? There are much better ways (overlays, e-mailing the blog’s author, etc.). Plus it’s not that unusual for a poorly coded plugin/theme to break after an upgrade.
My blog updates every hour and backups nightly, but I’m not the average user.
Hmm, your “Skip” button seems to be broken, Andrew. It doesn’t do anything when I click on it.
You sure about that?
Generally, things that probe my server trying to id my software get blocked. Then again, the WP version is fairly prominent, so it’s not a big deal.
I actually endorse WordPress to start deactivating functionality after it is a certain number of days old or the version is significantly out-of-date. http://www.planetmike.com/goto/874
Did WP 2.5.1 look like that, I think those were the days?
Had a little chuckle when I noticed what the ”Skip” button was doing (it is however broken like Alex said, I clicked on it a number of times, but it was on the run for a while!) 
After updating to WP3.0.1 my site doesn´t work propper
The plugin wp-simpleviewer is not compatible.
I´m a WP newbee and do not know how to fix this
I´ve shut down all plugin and one bij one activated them.
It seems like wp-simpleviewer and W3 Total Cache can´t coexist in WP3.0.1
W3 Total Cache is the cource Wp-simpleviewer doesn´t work properly
“Piece of mind” is spelled with an “a”. Did they say anything about XMB? Seems like phpBB’s 100% failure rate shouldn’t be too hard to beat. And how does bbpress stack up?
Cheers
Thanks, I thought I had fixed that typo. They didn’t mention XMB, but I’m certainly hoping it beats phpBB. bbPress was not looked at. They did however look at 25 WordPress plugins, including BuddyPress. Here’s the list:
p.s. Where is the comments feed for this post? /theme fail
That’s a Twenty Ten thing. Removed in r14384 it seems. Most browsers auto-detect RSS feeds, though yeah, I’d admit that I would be doing the same search on the page for the link.
I don’t get it. Is that a bug, or is wordpress 3.0 intended to discourage comment feeding?
I can’t speculate. It should probably be returned. I believe it was part of an effort to remove references to the trackback link, which really just took up space.
I’ll inquire as to its disappearance.
I think it’s silly to include links to RSS feeds these days. All modern browsers automatically display the link to the RSS feeds in your address bar.
Chrome doesn’t do this out of the box (yet). It’s my preferred browser (same for miqrogroove), and at this point I only use Firefox for development.
Emphasis added.
You know you’re in trouble if Internet Explorer does something your browser can’t.
Now now… There’s an official (by Google) Chrome extension that’s as good as the Firefox implementation.
I prefer browsers that aren’t weighed down by memory leaks and design by committee
Pfft, so what if my copy of Firefox is currently using 997MB of RAM?
(Been open for days with hundreds and hundreds of tabs and lots of extensions. Not a big deal though as I’m only using 54% of my RAM.)
Just out of curiosity, what would happen if I subscribed Google Reader to the post URL instead of the feed URL?
It subscribes to the first feed it finds, i.e. the blog post feed.
That makes me wonder whether the first feed for posts should be the comments feed. Should they be listed in reverse specificity?
Tough call. It’d be good for discovery, but bad for UI.
Yeeeup, it gives me the blog feed. Auto discovery and content negotiation fall flat on their face, and there’s no way to find the feed without guessing or looking at the HTML headers.
Check out this extension. Works like a charm, and is similar to the functionality baked into most other browsers.
Pingback: My DC PHP presentation | Andrew Nacin