Skip to content

Two Ideas for Mitigating Future WordPress Vulnerabilities

This weekend there has been a plethora of news stories about pre-2.8.4 versions of WordPress being hacked (Lorelle, Matt or the Guardian). The official way to protect yourself is to install an upgraded version of the system.

My first suggestion: The administrators of a WordPress blog should be sent an email once a new release has occurred. Unfortunately, I believe the “update release check” only occurs when someone is looking at the admin pages. Perhaps a hook can be added that once a day if the public site is accessed, the version check will be done. If a new version has been released, an email message is sent to the administrators.

My second suggestion: Have WordPress expire after a fixed amount of time. For example, let’s say one year after a version is released, it will lock itself down. At that point it will not allow new comments, posts or pages. Then six months after that, edits can no longer be made to existing pages or posts. Then 6 months after that, a full two years after a new release has been issued, posts, pages and comments will no longer even appear on the site. They’ll still be in the database, but they won’t be displayed at all.

Radical? Absolutely! But I think this would be a prudent way to minimize future problems, as well as forcing (encouraging) people to keep their WordPress installation up to date.