WordPress 3.7 Adds Automatic Updates: A Great Idea, But …
WordPress has just released version 3.7 of its blogging platform, and many folks will be pleased and relieved that they’ve added automatic updates to the software. I certainly was happy about it, but …
On the same day, a major technology site, php.net, found that its site had been compromised and was installing malware on visitors’ computers.
I’m responsible for maintaining four WordPress blogs (none are mission-critical, and new posts are quite rare on each). Over the past few months, I’ve been mildly annoyed at the release of multiple “security releases” for WordPress, each closing a newly-disclosed vulnerability. At work, I constantly deal with the consequences of security breaches that exploit known vulnerabilities in outdated installations of WordPress on our customers’ servers or hosting accounts. So the idea of “automatic updates” sounds really, really wonderful, but …
What would happen if some clever hacker found a way to introduce a vulnerability into the open-source WordPress code, which would be automatically updated across millions of blog sites, potentially placing all those sites under the hacker’s control?
Surely that’s a very low risk, compared to the risk that a blog site could be exploited through a known vulnerability if an update isn’t applied. But …