[wp-hackers] Plugin update & security / privacy
m at mullenweg.com
Sun Sep 23 19:35:26 GMT 2007
Moritz 'Morty' Strübe wrote:
> I know this will not change until Monday, but is it really necessary to
> transmit the URL?
Your blog URL and version has been sent by default for 4+ years to every
ping service in the world, including Ping-O-Matic, every time you make a
post. Of course you can turn that off, just like you can turn update
notification off, but statistically no one does.
The only new information being sent by the update checker is PHP version
and a list of plugins. If you don't like that feature, please install a
plugin to disable it:
Of course don't forget the WP dev blog and planet RSS feeds, and most
importantly the incoming links feed which ALSO transmits your blog URL.
I would also recommend disabling the updates in Mac OS X, Firefox,
Windows, Thunderbird, Adobe Photoshop, and any other third-party
applications you have. As all of those are tied to your personal IP and
not your server IP they have far more implications for privacy.
> If that database
> gets public and you find a security bug in one of the plugins - there
> are enough - you can start a _very_ effective attack!
Such an attack would not be more effective, it would just be more
efficient. Historically, however, scripts that attack against WordPress
don't bother checking the version or if a plugin is there or not, they
just seek out every WP blog and check the specific capability or
Nevertheless, we're beefing up the infrastructure and security of
WordPress.org, which Barry is working on right this instant. In 2 years
of running WordPress.com and Akismet, two extraordinarily
high-visibility targets, there has never been a problem on a server
Barry set up. The only problems we've had (once on WP.org, once on
PhotoMatt) have been things I set up, and I'm not setting up these new
I think this feature is actually going to dramatically improve the
security of WordPress overall. We all saw the survey that 95% of WP
blogs were vulnerable. That didn't even look a plugins. I think the
survey was flawed, but you still can't deny that for most people knowing
there is an update and actually updating just doesn't happen, and this
is a necessary first step. If the only "trade-off" is sending an ALREADY
PUBLIC blog URL to wordpress.org, then great!
I would like to remind the participants of this thread that WP.org !=
Automattic, so to be fair to the members of both please distinguish
which you're referring to.
http://photomatt.net | http://wordpress.org
http://automattic.com | http://akismet.com
More information about the wp-hackers