WordPress Security Stupidity
I was reading a blog the other day and because the author had made reference to my calendar plugin I decided I would like to comment on the article. The site was setup so I had to register in order to post. I did so and was able to login and make my comment immediately – I wasn’t required to verify my e-mail address. I was also able to modify my credentials in a stripped down admin panel and it was here that I noticed something stupid.
Splashed across the top of the panel was a notice saying “This WordPress installation is out of date. The latest version is 2.5.1. Consider informing the administrator”. I considered shouting at WordPress for their stupidity with respect to security. If there is one thing we should learn from the telnet/SMTP hacks of days gone by its that shouting out that you have a vulnerable installation on some kind of banner is a bad thing to do. Luckily I’m on of the good guys and didn’t decide to compromise this individual’s site. Someone might do in the future though, with that site or any other displaying such a readily available banner. Why does this banner need to be there? Sure, it might need to be for an admin user but someone who has just registered? No. Sheer madness.
Need help using my Calendar plugin on your site?
Are you in my address book yet?
I've canned 3,564,022 spam blog comments so far and rising.
I have a zero tolerance on spam!
I'll take one more step closer to you 