Tag Archives: security

WordPress security: the case for dependency management

Two things happened in the last week to spark this post; I gave the weekly “Show and Tell” at work on my favourite things about Drupal that I’d like WordPress to learn from (one of them should appear in 4.1, by the way), and yesterday a vulnerability was revealed in the still popular TimThumb library used by many WordPress themes and plugins.

Dependencies

One of my favourite things about Drupal is that it offers theme and module developers the ability to use dependencies. A few simple lines in the module.info file (Drupal’s sort-of readme.txt equivalent) can specify that the module depends on other modules and Drupal will recognise that, offering to install and/or enable those modules for you in order to meet those dependencies. E.g.;

dependencies[] = views
dependencies[] = rules
dependencies[] = features

That’s not all though, Drupal also allows module developers to specify required libraries in a similar way. Those libraries are then installed in a ‘libraries’ directory alongside the modules directory.

Duplicated Effort

By contrast, WordPress plugin and theme developers often have to bundle those libraries into their plugin or theme. The result, when a security issue like yesterday’s TimThumb exploit is revealed, is that individual plugin and theme developers need to update their projects individually and push out an update, leaving users vulnerable until the developer gets round to it.

Instead, having a system like Drupal’s dependencies means that, once the library itself is updated, all installations could pull down that library update and secure their site without the plugin/theme developer having to lift a finger. Installs are secured quicker with minimal effort.

There are other benefits to a dependency system but I believe the security angle is by far the most compelling.

My suggestions above actually go a bit further than what Drupal offers at the moment, I believe, but a system that works as close to the plugin/theme system as possible would be beneficial.

TimThumb, seriously?

Before you say it, yes, there is a better way to deal with TimThumb specifically. David Bisset put it best:

Thoughts?

Picture credit: The Colorful Library of an Interaction Designer by See-ming Lee

Vulnerability in WP Super Cache and W3 Total Cache – update now!

Hot on the heels of the big WordPress botnet attack comes news of a serious vulnerability in the two most popular caching plugins, WP Super Cache and W3 Total Cache.

By allowing anyone to inject malicious code into your WordPress site through the standard comments form, this security vulnerability is particularly nasty in it’s simplicity and ease of exploitation.

I’m glad that the security and maintenance measures I take as part of my WordPress maintenance package mean that both the botnet attack and this vulnerability weren’t a concern, but others might not be so lucky.

Make sure you secure your site now, and keep it up to date.

180 WordPress updates…

I’ve just finished my weekly check of client sites who are on my maintenance package and seeing as it’s almost the last check of the year, I thought I’d look at the stats…

I’ve made;

  • 96 backups, each including a WordPress content export, database dump and file backup
  • 11 core updates, including moving from 3.4 to 3.4.1 to 3.4.2 to 3.5
  • 149 plugin updates
  • 20 theme updates

Every single update I’ve done was first carried out on an exact duplicate site first to make sure it wouldn’t break the site – very important for peace of mind.

What isn’t included are the many updates I’ve processed for other clients not on my maintenance plan, nor the several sites that I own and operate – there are a few core updates in addition at least.

I’ve only been doing this maintenance package for six months but I’m getting a steady stream of new clients who are enjoying the peace of mind of having multiple backups (I keep four weekly backups at all times) performed and stored for them plus any updates fully tested and pushed out without issue.

It’s actually a really satisfying start to my week, knowing I’m keeping WordPress sites safe, up-to-date and backed up.

If you have a WordPress site you might want to consider asking me to look after yours too – check out my WordPress maintenance service to see what’s included.

Merry Christmas!