[wp-hackers] Plugin update & security / privacy
m at mullenweg.com
Sun Sep 23 23:29:09 GMT 2007
Moritz 'Morty' Strübe wrote:
> Yes, but not, as a pointed out several times before, in combination with
> the installed plugins and their versions.
What if someone knows your blog URL can they hack your blog?
What if someone hacks ping-o-matic or weblogs.com and gets all the blog
URLs in the world, can they hack your blog?
What if someone simply subscribes to the list of updated blogs on
weblogs.com, can they hack your blog?
What if someone blindly checks for filenames in your wp-content/plugins
directory to see what plugins you're using, can they hack your blog?
What if someone hacks wordpress.org and gets a list of blog URLs and the
plugins they use, can they hack your blog?
What if wordpress.org also stored what version of a plugin you were
using, which there are no plans to do, AND the hacker broke in and stole
that, can they hack your blog?
What if you're running an insecure version of a plugin or WordPress, can
someone hack your blog?
Yes. And they can (and do) do it without any of the above.
Please reread that.
Will the update notification feature shipping tomorrow in WordPress 2.3
mean fewer people are running insecure versions of WordPress and plugins?
Just like there is premature optimization we could argue about for days,
I think there is also premature paranoia. What's in trunk is what is
shipping with WordPress tomorrow. I don't think your concerns are valid
in the real world, and even if you assume a malicious wordpress.org the
security and privacy of WordPress users will be no different tomorrow
than it is today. It's optimized for a reasonable person, but with hooks
and filters for those with niche concerns.
http://photomatt.net | http://wordpress.org
http://automattic.com | http://akismet.com
More information about the wp-hackers