The popular blogging platform WordPress, and its multi-user counterpart WordPress MU, continue to be common entry points for badware. In a typical scenario, a security vulnerability is discovered and patched, but many website owners running WordPress do not install the updated version of the WP software, leaving their sites open to the exploits that inevitably follow. Two examples have come up in the past week over on BadwareBusters.org. WordPress plug-ins are sometimes vulnerable, as well.
A new vulnerability was announced this week by Corelabs. Reportedly, WordPress 2.8.1 and WordPress MU 2.8.1 are safe, while prior versions are at risk.
What can the community collectively due to help with this ongoing pattern?
Site owners can keep up with updates through the WordPress blog or through WordPress’s admin interface, and install the updates as quickly as possible. Similarly, the admin interface shows updates for plug-ins, which should also be installed quickly when the updates are security related.
WordPress and plug-in developers can ensure that security is a high priority in developing code and can make the upgrade process as seamless as possible for site owners. Providing a dedicated subscription e-mail list exclusively for notifying users of new security updates would also be helpful.
Web hosting companies that offer simple installation of WordPress can notify their customers when a new version is available and encourage them to update, ideally through a process as simple as the initial installation. Even hosting companies that do not offer installation may consider scanning their systems for outdated WordPress installs and notifying their customers of the need to update.
With a combined effort, we should be able to help WordPress to remain a popular blogging system while making it a less popular malware distribution system.
