In Defence Of WordPress.
The internet is verbally attacking WordPress again. I read a lot of hate towards WordPress for its latest security vulnerabilities that have become public.
What I don’t see is praise in how those updates are handled and distributed to its millions of users.
Cross-Site Scripting Vulnerabilities
The last 2 weeks, 3 major security releases have been announced by the WordPress team;
- 21/04/2015: version 4.1.2 fixes a critical cross-site scripting vulnerability
- 27/04/2015: version 4.2.1 fixes a cross-site scripting vulnerability
- 07/05/2015: version 4.2.2 fixes a cross-site scripting attack
Oh my, WordPress must pose a security risk, right?!
The Magical Release: WordPress 3.7
I was skeptical when they first announced this, but automatic background updates as featured in the 3.7 release are amazing.
Automatic background updates were introduced in WordPress 3.7 in an effort to promote better security, and to streamline the update experience overall. By default, only minor releases – such as for maintenance and security purposes – and translation file updates are enabled on most sites. In special cases, plugins and themes may be updated.
If you read the comments on Twitter, security blogs and even major news sites, you would expect the internet to have crashed and burned by now, with all the WordPress security vulnerabilities.
But that magical feature saved the internet from a lot of problems. That feature, that most WordPress users take for granted, is the single best thing ever to happen to WordPress.
And to think I questioned it at launch. What happens when your auto-update breaks all sites? What happens if an update is pushed, that introduces more vulnerabilities or backdoors? What if WordPress.org is every compromised and attackers can influence that update?
None of those scenarios happened. At least, not yet. But WordPress’ trackrecord is solid.
Patching several million websites
WordPress is popular. It powers millions of sites. Small & big. This puts it in a position where it’s bound to attract some unwanted attention. Once a critical WordPress vulnerabilty comes out, the update is pushed to those millions of sites within hours.