Ben Laurie blathering

Why I Won’t Be Upgrading Any Time Soon

So, WordPress 2 is out. And there’s a 3-day old security advisory that isn’t even mentioned on the WordPress website.

Enough said.

Is there blogging software out there that does care about security?


  1. I can’t find the wp-stats.php file described in the advisory in my test WP2 install, nor an older test WP1 install…

    Comment by Jon Dowland — 18 Jan 2006 @ 12:07

  2. It appears that wp-stats.php is, in fact, a plug-in. Nevertheless, I would expect WP to have figured that out and made it clear.

    Comment by Ben — 18 Jan 2006 @ 14:13

  3. I use Typo[1]. I run it via FastCGI, and with wthat, you can run it with suexec (if you trust that). At a minimum, it keeps an exploit from propogating very far 🙂

    I haven’t found a good one that actually has a perfect security record. I think that the intersection of people who care about security, and know what they are doing, and write blog software is very very small.



    Comment by Paul Querna — 18 Jan 2006 @ 19:10

  4. Ben,
    As has been pointed out to you. the exploit is in a 3rd party plugin called wp-stats which has nothing to do with WordPress blogging software at all.

    I don’t expect it is a particularly popular plugin either, it is fairly special purpose and has its roots in the old b2 predecessor to WordPress.

    I wouldn’t expect WordPress site to mention it. It would be unreasonable to expect the WordPress dev team to try to track over 500 plugins in the wild (or the 500 themes either).

    It’s also worth pointing out, that the author of the plugin fixed his code within 24 hours of the exploit coming to light.

    There are other reasons to refrain from upgrading to WP 2.0, but an exploit in an un-related 3rd party plugin, fixed promptly by that third party is not one of them.


    Comment by Mike Little — 19 Jan 2006 @ 13:05

  5. I would agree that this isn’t WordPress’ problem, except that the report says the bug is in WordPress, not a plugin.

    So, as a user of WordPress, I had no easy way to discover that I needn’t worry about it, as evidenced by my post about it.

    It seems to me that WordPress should either get the advisory fixed or explain somewhere what the situation is.

    Comment by Ben — 19 Jan 2006 @ 14:52

  6. The Secunia advisory is correctly updated:

    I’ve contacted the osvdb people. I’m surprised you didn’t even look to see if you had that file in your installation before damning the whole WP project.

    Comment by Matt — 24 Jan 2006 @ 22:23

  7. I did check, but since the file was allegedly in WP 2, and I was running 1.5, its absence wasn’t a huge surprise.

    Comment by Ben — 27 Jan 2006 @ 10:50

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress