My apologies for not updating the blog since long time. Thanks to Vivekk for point it out to me and reminding me about that how he’s missing the content of this blog (definitely makes me feel good). Coming back to the actual blog post and the talks of WordPress not being a secure blog engine and the questions being raised about the security of WordPress tells me that how we all tend to blame others for our own faults!
Recently, there have been reports that older versions of WordPress self-hosted blogs are under attack by an online creature named “eval/base64_decode” that changes the Permalinks (URL-Structure) of your blog posts such as : example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/.
Why I say that it’s our own fault?
WordPress team has been working hard all the time to give us new features in the new versions. They have been quick enough to supply the security updates, in case there is any in the new versions. It’s only the bloggers who don’t really give importance to these new updates by not updating the engines and we tend to raise the question about WordPress Security or play the blame game after our blog’s get attacked by these nasty tricks played by “some jerk”.
Will it be not your fault, if you don’t lock the doors of your house and go out on a holiday. Will it not be like, giving an open invitation to thieves? It’s exactly the same here as well, by not upgrading your WordPress installations, you are inviting hackers to exploit your blog.
What all can I do to keep my blog safe?
I’ve already written a series on how to secure your WordPress installations and I’m sure that those safety measures will surely keep your blog safe from prying eyes. However, that are the safety measures that you can take. However, if your blog is already hit by “eval/base64_decode” then you should go ahead and follow these FAQ on how you can save yourself from this nasty attack.
Suggestions for the Automattic team
Considering that how WordPress has grown in the internet world and how other engines are secure enough that they don’t get attacked by these exploits (It’s pretty much same as why Microsoft Windows gets viruses and other operating systems don’t), there are certain suggestions for the Automattic team that they should implement to keep things more secure than ever -
1. Certify the plugins – This wonderful suggestion came from Allen Stern and I think he’s right on the money. If there will be a system in WordPress or someone who’d look in the code of every WordPress plugin that’s uploaded on WordPress Extend, then it’ll give more assurance to the bloggers about the authenticity of the plugin.
2. Put Some WatchDog – Corsin Camichel suggests that it’ll be nice if the bloggers get an automated report every day by WordPress installation that tells them about the activity of the blog. I’m sure that a person will get alerted if he sees that 30 new posts were added on his/her blog when he was busy somewhere else.
3. Educated users through WordPress.TV – WordPress.TV is an excellent resource that has lots of videos that educate users about various sections of WordPress. I’m sure bloggers will certainly appreciate if they can get more videos (other than this video) on the topic of security and what all they can do to keep their blogs safe from prying eyes.
If you have any more suggestions for the Automattic team, then why not take part in the conversation and let them know that what all we are expecting from them! <sarcasm>After all, it was their fault that they built such a wonderful app; people will automatically have lot more expectations from them.</sarcasm>