Followup on WordPress Security Issue

Time for some Q&A here…

Below are a few of the most oft-heard questions/statements about my previous panic-level-3 announcement regarding a serious security issue in WP and how to easily fix it temporarily (one checkbox to untick)… Along with answers:

“Is this a joke/hoax?”

Is the date the 1st of April?

“How critical is it?”

Critical enough.
Not all WordPress users are at risk, but I don’t suppose that would be of much comfort to you if you belonged to the 30% hackable installs.

“Will you tell me more about this exploit? I swear I won’t tell anybody else! This will stay between you, me and the World Wide Web…”

Frankly, if you do not understand why I won’t even be giving the slightest hint of what the exact problem is before enough people have applied the temporary fix (disabling ‘user can register’, under Options >> General) and an upgrade has been released, you are the last person I should be telling to about this.

“Are you a WordPress official? a WordPress developer? Anybody with a title I can trust?”

Absolutely not. In fact, less than ever.

“Why don’t you leave that up to the Big Guys Who Know What’s Best For You®™ and go back to getting smashed on gin somewhere under a Parisian bridge then?”

Take your pick:

Because over the past year of distant involvement in the WP community, I have come to question and, well, often outright disagree with the way the Big Guys Who Know What’s Best For You®™ handled similar problems in the past.

Because, all modesty set aside, I am not sure how their strategy for handling such problems (which I have seen in action in the past) has proven better at containing disaster than the one I adopted here.

Or perhaps simply because, as some Big Guys Who Know What’s Best For You®™ have implied in one helpful bit of Shoot-the-messenger communication, I am an attention-craving moron with nothing better to do with his time than scare his fellow WordPress users into <gasp> unchecking one single option in their admin screen.

“Why do you relish so much in fear-mongering, FUD and…
OMFG…
What is this?
Snakes!!!! There are motherfuckin’ SNAKES on WordPress!!!
Ahhhh! do something!!!”

Right.
Why in the world would anyone want to make their security announcements sound too important?
All apologies for that bit of hysteria. Let me go back and add a few soothing pastel tones and some muzak to the original post.
Let’s rephrase too:

Hello, there’s a teeny itty bitty problem with your WordPress install, feel free to do something about it, but don’t worry too much otherwise, it’s all good man.

There. Better?

Now, seriously, to those who have been equating my behaviour with shouting “bomb” in a crowded airport: get. a. fucking. grip.
This is the internet, not an airport. Computer mice stampede rarely kill anybody. And I’m sure even the most cheetos-infused computer nerd’s heart muscle can take the news without prematurely collapsing.

Making it sound serious is a) the only way to spread the news b) perfectly justified given the fact that, you know, this is pretty serious.

Truthfully, I don’t think there is much harm done in upping the amount of caution people display when using server software. Such exploits are common, and not solely a WP problem (all server applications have had similar issues at one point or another). Lack of awareness in the general public, if anything, is the danger. Sorry if that doesn’t really bode well with some people’s marketing pink-cloud vision of the world.

Just consider yourself lucky I didn’t use:

Snakes on WordPress
(directorial credit: Leftjustified)

“You mean you didn’t just write that thing in a fit of aimless panic to scare other people out?”

There again, despite what some well-meaning people seem to have charitably been hanging on my head, I have given a bit of thought to the problem before deciding the best course of action was to invite people to disable an option in their admin tools. And for those who really care, here is how I see things:

  • An exploit in WP was brought to my attention. It was neither the first one, nor probably the last one. Exploits are an unavoidable byproduct of major projects, they are not a fatality: you fix them and move on.
  • My very first reaction with this, was telling Geoff Eby, who discovered it, to contact WP devs and take it to them in private.
  • As would sometimes happen, it seems, the answer wasn’t really overwhelming, and it appeared some devs (suspicion confirmed ever since) even considered this to be of the “Not WordPress’, Somebody Else’s Problem” category. A position I reckon everybody has recanted ever since, but that threatened to be the official position then.
  • Now, I am sure a fix will eventually be released. It will be the fourth upgrade this year. And I bet you the whole “major security issue” thing would not exactly be put in large blinking letters on top of the official download site. Ya know, you don’t want people to panic and start thinking there may be a problem or anything.
  • I have absolutely no stats to confirm that, but I can also bet you there are still thousands of installs of WordPress that haven’t even installed the previous security upgrades. “Too bad for them”, I hear you say? Well, sure, it’s not very smart but you can’t blame them for eventually tiring of following announcements and refusing to sort out themselves between minor bug-fixing releases and major security-plugging ones (a difference that’s pretty much inexistent in all WP official channels).
  • As a result, I get word every day of one WP install or another that’s been hacked, usually using an exploit supposedly fixed months ago (just have a look at some of the comments in the previous post).
  • I would be amazed, alarmist tone notwithstanding, if more than 50% of WP installs throughout the world were upgraded to a safe version by the end of the Summer.
  • On the other hand, the second the patch is released, every malicious coder with two bits of brain will know exactly how to exploit older versions and will go to work.
  • The fix I invited everybody to apply (namely: uncheck the ‘allow user registration’ option in WP’s General Options panel) is both simple and does not reveal the exact nature of the exploit. Not only do I trust it to be more widely applied than a full-on upgrade by the less computer-proficient users, but it will ensure, by the time the upgrade is there and the exploit publicized, that much fewer vulnerable installs remain.
  • So, think of it as a two-step process where we can afford to raise awareness and offer a simple temporary fix without risking to help script kiddies too much, then release the usual half-ignored patch and not have to watch the entire WP world crumble as dozens of unprotected blogs get defaced by 12-year old pimply teenagers.

Or, you could just follow “protocol”, discuss the exploit at length in private developer mailing lists, safely out of sight from the general public (but well read by possibly every last malicious coder in the world) and release yet another semi-silent security upgrade while hoping good people hear about the news before the bad ones do…

But feel free to ignore this ranting of a madman: after all, perhaps I was just bored and figured this would be the best way to have some fun, without incurring serious cavity damage in an airport security room for mentioning snakes while boarding.

For anything else, feel free to contact your nearest WordPress Official for further word on what to do. I’ve done my bit.

Update: WordPress upgrade 2.0.4 should now patch this bug. If your version of WordPress is equal to or higher than 2.0.4, feel free to ignore the warning above. If not, then you should/MUST upgrade (more details in the comments).