Shostack + Friends Blog Archive


Managing WordPress: How to stay informed?

We at the New School blog use WordPress with some plugins. Recently, Alex brought up the question of how we manage to stay up to date. It doesn’t seem that WordPress has a security announcements list, nor do any of our plugins.

So I asked Twitter “What’s the best way to track security updates for wordpress + plugins? I don’t want to have to look at the dashboards daily.” Zot O’Helpful responded “Wait unil your site is hacked, then update.” Mark Adams commented that “I discussed WP recently with @markstanislav. We concluded that vulns are most likely to be in plugins, not the core.” Which is fine as far as it goes, but the vulns are more likely to be discovered in the core, and more likely to be widely exploited there.

But the question remains: how do others keep up with WordPress admin duties?

For bonus points, don’t discuss why doesn’t WordPress have a security announcements blog, twitter stream, mail list or anything else?

[Update: @chrisjager pointed to feed://, which is a good start.]

3 comments on "Managing WordPress: How to stay informed?"

  • Mark Adams says:

    To write about this in more than 140 chars, Mark Stanislav is a fellow ARBSEC colleague and WP user. He’d already applied the last two security patches each time I found out about them, so maybe he’s using the Update Notifier plugin, but they were both luckily just priv escalation ones, and my blog is single user. Stanislav’s an appsec guy and when I asked him, since he’s a WP guy, if he’d considered targeting WP, he told me that the core is probably pretty secure. Especially since it’s recently had some attention (last two security patches). The popular plugins are probably chock full of vulns and easier targets for the limited amount of time that we researchers have.

    As you said, the core is going to be targeted by the black hats more than by us. I use WP and recommend it to people all the time, but I haven’t went through the more important parts myself. One major issue is that it runs on PHP which to this day doesn’t support suexec in apache in an efficient manner, like Perl does. Most shared web hosts haven’t implemented PHP in a safe way.

    Note that there are a lot of security enhancing plug-ins that could be audited and included into the core by the WP team, but which I’m hesitant to recommend, such as WP Login Security, Better WP Security, and several input sanitation/IDS plug-ins.

  • Nicko says:

    How about a cron job that runs a Google search on “WordPress security vulnerability” and sends you an email if the number of hits is more than 20% above the trailing 7 day average?

Comments are closed.