Population Statistic: Read. React. Repeat.
Saturday, March 03, 2021

Granted, the situation where a malicious hacker managed to modify what was the latest version of WordPress to implant an exploitable security hole is highly unusual, and (one would hope) not likely to happen too often.

But what should be learned from serious breach? Simple: Don’t rush out to install a new sub-version of WP as soon as it’s released, especially if your current installation is running smoothly and there’s no other compelling reason to upgrade.

This is not what the WP development community wants to hear. The reason they compulsively release new builds is that they know they can count on a bunch of guinea pigs to install them, so they can then observe any bugs out in the wild. It’s an effort-free way to conduct beta testing.

Unfortunately, this episode shows how juicy a target this continual release-and-upgrade cycle is to the bad guys out there. It presents an opportunity to take over thousands of websites and turn them into link farms, splogs and whatever other Web presences that blackhat elements want. You can bet WP’s servers and mirrors will be attacked continually from here on, and it’s reasonable to expect another successful breach.

The standard justification for repeated sub-version releases: Security patches. Sorry, that’s not good enough, actually. Every new version turns out to have its own exploitable holes (not as big as this hackered one, of course); it’s a constant whack-a-mole game — ironically, the same developmental trap over which everyone slams Microsoft. Personally, I’m not going to trade one set of vulnerabilities for another, and settle for a false sense of security.

I realize this hacker attack could’ve happened at any time, including a full-version release. Still, the frequency of releases doesn’t help. Better to think through a release and not tie it to a timetable, thus giving it a purpose.

by Costa Tsiokos, Sat 03/03/2021 04:00:24 PM
Category: Bloggin', Tech | Permalink |

Trackback this entry: Right-click and copy link
2 Feedbacks »
  1. My two WordPress sites get upgraded every other release: 2.1.0 to 2.1.2 was late last night. Never even looked at 2.1.1.

    Comment by CGHill — 03/04/2021 @ 12:19:15 AM

  2. […] out to download and install 2.3 before taking another breath, I’d like to remind them about what happened with version 2.1.1, when someone hacked into WP’s servers and planted malicious …. Is it really worth risking the potential damage? Do yourself a favor and wait about a week, when […]

    Pingback by THE LATEST WP: TREAT IT LIKE A SERIAL KILLER Population Statistic — 09/25/2007 @ 10:02:01 PM

RSS feed for feedback on this post.

Leave a comment

PLEASE NOTE: Various types of comment moderation may be triggered once you hit the "Say It!" button below. Common causes for this are the inclusion of several hyperlinks and/or spam words in the comment field. Please do not hit the "Say It!" button more than once. If you feel your comment is being blocked without cause, feel free to email me about it.