WordPress flaw

So a new WordPress release is out with the usual spin:

Since 2.2 was released a month ago, the WordPress community has been improving fit-and-finish by identifying and fixing those little bugs that can be so annoying and by fine-tuning some small details. The result is a nicely polished 2.2.1 release.

But wait, there’s more! A little further down we see:

Unfortunately, 2.2.1 is not just a bug fix release. Some security issues came to light during 2.2.1 development, making 2.2.1 a required upgrade.

This is not the first security disgrace for WordPress and it’s exactly this kind of flaw which makes it impossible to recommend WordPress as a public-facing web application. In fact, it’s not just that I can’t recommend installing it; it’s that it would be irresponsible to do anything but recommend that people uninstall it.

An exploit for one of the flaws was published on 6 June. The exploit demonstrates how any user with an account can get the login names, password hashes, and authentication cookies for every user in the database. The exploit describes the flaw as "bastante tonto por cierto" ("pretty dumb, that’s for sure").

The flaw was publicly disclosed on 6 June. It turns out that the security researcher in question privately notified the WordPress developers beforehand, and a patch was checked into the trunk on 28 May.

Comments on the corresponding ticket show that by 8 June the WordPress team knew that the flaw and exploit was known to be "Now widely published". Yet they waited until 21 June to prepare a new release.

This flaw should never have crept into the code base; it’s an elementary SQL injection attack. And once in the code base, it should have been caught by review. But it didn’t get caught, and the WordPress team sat on the fix for nearly a month before advising people to upgrade; during just over two of those weeks an exploit was widely disseminated.

Even though the new release is now out, many won’t upgrade and there will be countless script kiddies using Google to find vulnerable installs. A friend of mine got bitten by this recently when someone walked in and took over his install using a exploit for a long-since-patched hole; he simply didn’t realize that you had to upgrade WordPress regularly or risk getting owned. He didn’t realize that when you install a public-facing web application it’s like choosing a lock for your house; it’s a good idea to choose carefully.

All of this leads to one simple conclusion: if you want install to WordPress on a public-facing web server, don’t. And if you insist on installing it, then you need to watch the trac like a hawk and be ready to patch faulty files as soon as flaws are discovered, because the WordPress team simply doesn’t take security seriously. Even then you won’t be safe because there will always be undiscovered flaws and you never know when someone might come knocking. I am not the only one who thinks this.

If you do want to install weblog software, I recommend Movable Type. It is possible to set up a very secure install if you don’t need things like comments (see "Movable Type security notes"). If you do, well, you should probably just use Blogger.