carpeaqua

Wincent Colaiuta made an excellent post today regarding the security of the Wordpress platform.

This flaw should never have crept into the code base; it’s an elementary SQL injection attack. And once in the code base, it should have been caught by review. But it didn’t get caught, and the WordPress team sat on the fix for nearly a month before advising people to upgrade; during just over two of those weeks an exploit was widely disseminated.

This is not the first security disgrace for WordPress and it’s exactly this kind of flaw which makes it impossible to recommend WordPress as a public-facing web application. In fact, it’s not just that I can’t recommend installing it; it’s that it would be irresponsible to do anything but recommend that people uninstall it.

Strong words, but he does raise excellent points about the security issues that seemed to have crept into Wordpress as of late. It’s my hope that the Wordpress camp will address these issues by outlining some new policies they plan to adopt going forward.

Even if updating because of a security update is a pain, it can be alleviated by checking out your copy of Wordpress from their Subversion server. If you run several Wordpress-powered sites like I do, it makes updating so much easier — scriptable even.

Just a thought.