Half Of All Existing WordPress Sites Vulnerable

Scary post title right? Well, I wish it was link bait, but it’s not. This is really serious.

Yesterday, it was announced that there was a critical security vulnerability with versions 3.0 to 3.9.2 of WordPress.

You can read more about what you should do on the Envato Market Blog and full details of the vulnerability are given on Jouko Pynnonen’s website (Jouku discovered the issue).

In a nutshell, the vulnerability allows an attacker to inject JavaScript into a post just by leaving a comment (although the JavaScript has to be formatted in a certain way). That JavaScript code will then be executed on any subsequent page load containing that comment, both on the front end and in the comment moderation queue in the back end.

Here’s a video showing how easy it is to exploit the vulnerability:

In the video, I just redirected the page to Google’s home page. Any vistor trying to access that page is going to end up at Google. I could have done stuff that’s a whole lot worse than that, but that’s bad enough…

Now, this didn’t affect verison 4.0 (although there were some other fixes for that). Websites using 3.9.*, 3.8.* and 3.7.* should have been updated automatically to a secure version by now (asuming automatic updates are turned on). However, versions 3.0 to 3.6.1 are unsupported, so there is no update for those versions.

Well that’s not so bad you’re thinking. Can’t be many people using those old versions.

Wrong. A series of tweets from Rarst lead me to have a good look at the stats page on WordPress.org. This is what it shows:

image showing the percentage of use for each version of WordPress

Look at it. Now look at it again. Right… so more than half the WordPress sites out there are on 3.6 or older. More than half of all existing WordPress sites are vulnerable. That’s roughly 12% of the web. I said this was really serious.

This just goes to show how important the Automatic Update functionality is. I was originally a skeptic, but I now consider it one of the most important features ever added to WordPress. Thanks to the devs who did the hard work to implement it (looking at you Dion)!

Unfortunately, there are still a bucket load of sites out there just waiting to be exploited. We can’t have more than half of all WordPress sites just sitting out there as timebombs. I don’t think this is one we can let pass quietly. We need to spread the word and get people to update their old sites. Everyone should be on 4.0.1.

If you have any old sites out there, make sure they are updated! If you have clients or friends who might have old sites, get them to update!

Does anyone out there have any contacts at Google? They send out emails to Webmaster Tools users telling them to update WordPress. Perahaps they could send a special email given how serious this and how widespread this is.

Does anyone have any other ideas?

The Solution To The Lack Of WordPress Beta Testing

While catching up on some old podcasts, specifically Episode 82 of WordPress Weekly, I came across a discussion about WordPress beta testing. The discussion centers around the problem of bugs not being caught during beta testing because there just aren’t enough beta testers.

To me, the solution seems straightforward – but that may be because I worked in the software industry for 10 years and have experience in software release management, so I’ll take the long path and set the scene properly.

Continue reading

WPVote Needs To Improve Published News Section

For those of you who don’t know, there’s a new social news site for WordPress, called WPVote. I’ve been using the site for a couple of days and while the concept is great, the quality of entries are poor at this early stage. Continue reading

WordPress Permalink Customisation – Caution For Beginners

Editorial Note, 12 August 2011

So, some things have changed since 2007 – I now use the very same permalink structure I warn against below. There are a few reasons for this:

  1. WordPress now deals with permalink structure changes much better these days and will automatically 301 redirect the old URLs for you (in most cases).
  2. Even if WordPress didn’t do it automatically, I’m now comfortable setting up 301 redirect via .htaccess (which is what I do, because I don’t quite trust leaving it to WordPress).
  3. Having the category in the permalink does provide SEO benefits – I don’t care so much about getting the keywords in the URL (you can get that through postname), but I do like the benefits for the site structure (pseudo folders creating a silo structure).

There are still some problems with the /%category%/%postname%/ permalink structure: if you have a lot of pages (more than 50ish), this permalink structure can really slow down your site. Having said that, even this problem is likely to disappear, as it looks like they’ll change the way this works in WordPress 3.3.

This is only my second post since launching www.scratch99.com and I’ve already changed the Permalink structure! In this article, I examine why my original structure:


doesn’t work for me. Continue reading

Is It Okay For Plugins To Promote Themselves?

The upcoming release of the DualFeeds plugin for WordPress includes an optional feature which promotes the plugin by displaying ‘Powered By DualFeeds’. I want to know what you think about this – is it okay for plugins to promote themselves? Continue reading

Where Have All The WordPress Plugin Lists Gone?

When I recently finished the LocalCurrency plugin, I tried adding it to the various WordPress plugin lists that exist and found that several are gone!

I’m not talking about individual lists on people’s blogs listing which WordPress plugins they use.  There are many of these! I’m talking about complete lists or repositories of all WordPress plugins in existence (or as close as possible).

In this post I look at a several WordPress plugin lists which have been removed, are down, or don’t seem to have any people running them. Continue reading

NOT All My Loving – CommentLuv Deactivated

This post was supposed to be titled All My Loving and announce the adoption of the CommentLuv plugin. In combination with my very own KeywordLuv plugin, I would have indeed been giving you all my loving. Unfortunately, I had a problem with CommentLuv and have deactivated it. For now…

Continue reading

Subscribe To Comments: Checked By Default Removed

Lesson to be learned: When you are sitting on semi exclusive news, POST IT! I originally wrote this on 29th March, but ran out of time to post it because of our move from China. Since then, Mark Jaquith himself has written about this, and others such as the Weblog Tools Collection have picked the story up. I decided I’d go ahead and post this, because my point about it being removed without warning still stands.

Continue reading

WordPress Taking Out The What?

After listening to recent episodes of the WordPress Weekly podcast (episodes 67 and 68), I was surprised to learn that in future versions of WordPress, the Delete link will be replaced with Trash. Continue reading

Thoughts On The New WordPress Podcast – daWPshow

In case you missed it, there’s a new WordPress podcast in town: daWPshow. Fantastic! I think it’s great that people are willing to put their time into creating content about WordPress! Now, with that out of the way, I’m going to lay down some tough love for the show.

Continue reading