[wp-hackers] Plugin update & security / privacy

[Matt Mullenweg]

Moritz 'Morty' Strübe wrote:
> Yes, but not, as a pointed out several times before, in combination with
> the installed plugins and their versions.

What if someone knows your blog URL can they hack your blog?

No.

What if someone hacks ping-o-matic or weblogs.com and gets all the blog 
URLs in the world, can they hack your blog?

No.

What if someone simply subscribes to the list of updated blogs on 
weblogs.com, can they hack your blog?

No.

What if someone blindly checks for filenames in your wp-content/plugins 
directory to see what plugins you're using, can they hack your blog?

No.

What if someone hacks wordpress.org and gets a list of blog URLs and the 
plugins they use, can they hack your blog?

No.

What if wordpress.org also stored what version of a plugin you were 
using, which there are no plans to do, AND the hacker broke in and stole 
that, can they hack your blog?

No.

What if you're running an insecure version of a plugin or WordPress, can 
someone hack your blog?

Yes. And they can (and do) do it without any of the above.

Please reread that.

Will the update notification feature shipping tomorrow in WordPress 2.3 
mean fewer people are running insecure versions of WordPress and plugins?

Yes.

Just like there is premature optimization we could argue about for days, 
I think there is also premature paranoia. What's in trunk is what is 
shipping with WordPress tomorrow. I don't think your concerns are valid 
in the real world, and even if you assume a malicious wordpress.org the 
security and privacy of WordPress users will be no different tomorrow 
than it is today. It's optimized for a reasonable person, but with hooks 
and filters for those with niche concerns.

-- 
Matt Mullenweg
  http://photomatt.net | http://wordpress.org
http://automattic.com | http://akismet.com