Huge Vulnerability in WordPress 4.8

Anthony Ferrara discovered a significant security vulnerability and an even more fundamental security flaw in WordPress.

The correct fix is to ditch this whole prepare mechanism (which returns a string SQL query). Do what basically everyone else does and return a statement/query object or execute the query directly. That way you can’t double-prepare a string.

It’s worth saying that this would be a major breaking change for WP. One that many other platforms have done successfully (PHPBB did this exact thing, and went from having massive SQL Injection vulnerabilities to almost none).

WordPress has made great strides in modernizing  and hardening core. I really had no idea WPDB was still in the dark ages! For shame!

Read his post for all the gory details.

How to Keep Your New WordPress Site Running Smoothly

So you just launched a WordPress site for your business, everything is up and running. Pages load quickly, SEO is better than ever, you paid your development team. Now you’re all set for the next few year, right?

In an ideal world, this would be true. Unfortunately, the Internet is a dangerous place and software is not perfect. With WordPress presently powering 1/4 of the Internet, it is a huge target for hackers and internet miscreants. Left untouched, your site is almost guaranteed to become infected by malware at some point in the future.

Click “Update!”

Clicking that “update” button in the WordPress admin is the single most important thing any WordPress site owner can do. In Windows or macOS these types of security updates can seem like a pain, annoying nag messages that you always dismiss immediately. While these updates are important for desktop computers, in reality, your desktop machine is typically removed from outside attackers by 1 or 2 levels of routers. Your website on the other hand has to be accessible to the broader internet in order for the public to have access to it.

One fact that might be overlooked if you’re unfamiliar with software development is that the vast majority of security patches are in response to a reported issue. What this means is that, potential attackers already have the information to create mass exploitation tools by the time you see the update notification in WordPress.

To put it another way: In my time working with WordPress, I’ve never see a compromised WordPress site that is totally up to date with all updates.

Is It Safe?

One concern that causes many computer users to put off software updates is the fear that something will break. While this fear is not totally unfounded, most software updates are safe, most of the time. When dealing with WordPress updates, you’re looking at new code from different sources. Core updates come from the WordPress open source project, these updates are all vetted by professional developers. Plugin updates are submitted by the plugin author. The experience level of these authors varies widely, they could be hobbyists working on the weekend or large teams of professional developers.

So is it safe?

Minor WordPress Core updates are safe. The minor updates are the updates where the main version number (ie. 4) does not change. The WordPress team takes great care to ensure that updates do not break anything.

Major WordPress updates are probably safe. Again, the WordPress team has a great track record of building in backwards compatibility. So, your site probably won’t break. However there are two caveats. 1) Major features in the WordPress admin will likely look and/or act differently; 2) Some plugins may stop working.

Plugin updates should be safe, but it depends. With a few notable exceptions, most well written plugins will update without issue.The same rule of thumb about major and minor updates apply to plugin updates, a major version update is more likely to break something. A good WordPress site developer will only install plugins that they’ve individually vetted, I never install plugins for my clients that I do not trust.

Be Proactive

A number of plugins and security solutions have started to become available for WordPress over the past few years. They are essentially virus scanners and firewalls for WordPress. By setting these up, you should be able to fend off additional threats or at the very least disable malware if it happens to make it onto your site. A Google search will reveal many good options. My current go to plugin is Wordfence security, I install it on all new sites. I like it because it works well out of the box and it typically does a better job finding malware than the other plugins I’ve tried.

Conclusions

As developers, I think we often do a bad job communicating the importance of ongoing maintenance and security. After all, it’s a little embarrassing to have to concede that this great product you just spent weeks of time and a good chunk of money on, is a giant bullseye for internet miscreants. It can seem like a slimy up-sell to suggest a maintenance contract.

In reality, if you’re comfortable reading and digesting release notes, you should be able to handle keeping WordPress up to date. If you’re less of a tech-DIY person, you may want to get in touch with a developer.

One more thing: Backups

Backups are always a good last resort. I didn’t mention them in this post because backups are typically a poor malware recovery solution. Two main reasons: 1) The type of malware that affects WordPress rarely corrupts content; 2) it can be difficult to pinpoint when a malware infection started, so you won’t know which backup to restore to.

Dear WordPress Get Your 💩 Together

Dear WordPress.org,

Get your shit together!

It is 2016, there is no excuse for allowing any plugins with insecure code to make their way into the plugin directory. Full stop.

The story about Custom Content Type Management stealing admin credentials and other shenanigans, is utterly pathetic. I’d bet this incident is just the tip of the iceberg.

If there is a plugin review process, I have seen no evidence of it. In my experience, plugin updates are made live immediately after updating the repo, regardless of if the plugin has a site crashing bug or a security issue.

The plugin directory situation has gotten so bad that people are starting to avoid installing free plugins.

Fix it. Please.

Sincerely,
Everyone who loves WordPress

PS. I stole the emoji graphic from the great article on The Oral History of the Poop Emoji.

The Role of Developers in the WordPress Community

Earlier this week, influential British designer Sazzy wrote a blog post entitled The Elephant In The Room about the depressing state of freelance web design. While not directly related, her post got me thinking about the current plight of the back-end developer inside the WordPress universe.

Over the past 3 or 4 years I’ve focused my work around custom WordPress development. In that time, in spite of (or maybe because of) WordPress’ meteoric rise to popularity, I’ve found interesting backend development work in WordPress to have almost completely dried up.

I believe this is largely because WordPress is mature, stable and has little need for serious back-end developers.

Core Contributions

Earlier this year, I took it upon myself to get a patch into WordPress core. I logged into the WordPress slack daily, watched conversations and dug around TRAC to find something I could contribute back to the community.

In doing so, I came to learn that the core contribution team seems to be a well defined clique of developer who have been there a long time. Breaking into the little club is not easy. Based on my digging around in TRAC is looks like most feature requests are met with bureaucracy and bickering, as tends to happen in nerd forums. More serious issues are already adequately handled by long-time core contributions. The slack conversations are dominated by a few voices who really know what they’re talking about.

Don’t get my wrong, the core contribution community is not unfriendly and none of the things I encountered are bad, per se. I simply got the impression that there’s little room and little need for the average developer in the core contribution team. WordPress is mature and stable, so is the development team.

Plugins

Simply put, most common and many uncommon features/problems/use-cases have been solved by well-established, mature, stable plugins. Most of the more popular plugins are supported by businesses that have sprouted up around them. Not only that, but Automattic seems to be spending even more resources developing plugins — as saw just this week with their AMP plugin.

A few years ago it might have been possible to start a cottage business surrounding a custom developed plugin that solves a popular problem. Something you could implement on all your development client’s sites, while selling support or premium services to the general public.

Today, those unsolved problems are few and far between.

Themes

The theme marketplace is bananas. There… are… just… so… many… themes and a lot of them are technically quite bad. But all that clients need are pretty pictures, slick demos and a low price point. It’s very difficult to sell the average mom & pop on the merits of a custom designed theme. To be honest, a lot of the time there is little value to be gained.

At the end of the day, custom themes are a non-starter for a large portion of the potential clients-base that the average freelance developer could expect to encounter. There are certainly cases where a custom template could be part of an overall design/branding strategy or something to that affect.

WordPress as a CMS

WordPress has always been and still is a bad choice as a general purpose CMS. But that’s a post for another day.


So, what’s left?

In my experience over the past couple of years, there are two related roles being filled by professionals who make their living in the WordPress universe.

The Expert

The WordPress Expert is someone who stays up-to-date with WordPress. They know about key features in the latest release; they maintain a personal list of goto plugins to solve various problems; they have preferred theme vendors and know how to spot a bad theme just by looking at it and they’re just really good at using WordPress.

The WordPress Expert can set you up with a website from start to finish, without ever touching a line of CSS or a PHP template. They act as a liaison between a clue-less client and the confusing world of websites. They can troubleshoot most issues, if not, they’ll know who to call.

The Customizer

The WordPress Customizer has all the skills and knowledge of The Expert and on top of they are usually a skilled front-end developer, with some basic back-end knowledge. They know what a child-theme is and aren’t afraid to use one.

When an off-the-shelf template doesn’t quite fit a client’s needs, the client will end up hiring a Customizer. The Customizer is able to wrangle the theme, bending it to meet he needs and wishes of a particular client.

At the end of the day, this type of customization can often be hard to maintain. Being a good customizer is not always an easy task. But The WordPress Customizer can be a reasonable solution to provide budget conscious clients a more customized website.


 

Over the years, my roll has morphed into that of a customizer. I enjoy the work, but it doesn’t really scratch my programmer itch. Calling it “web development” seems like a stretch.

 

TeeVee for WP: building Apple TV apps with WordPress Plugins

Imagine you create tonnes of great video content every day and publish it all through WordPress. Your viewer can watch your amazing shows everywhere…on iPhones, iPads, iMacs, but not their TVs. Wouldn’t it be great to have a branded Apple TV app so that all your viewers could watch your content in full screen glory? Well I’ve got just the WordPress plugin for you…

Behold, TeeVee for WP!

A straightforward WordPress plugin I created to allow content creators to use WordPress as a data source Apple TV apps. TeeVee for WP attaches video metadata to blog posts. The metadata is used to to generate TVML1 which gets ingested by a custom/branded TvOS app.

Screenshot 2015-12-06 21.01.03


On the xCode end you simply create a new TvOS single-view application, with an AppDelegate that looks something like this:

Modify the `TVDomain` to point the domain where TeeVee for WP is install and the rest is show business.

The project is up on github here: https://github.com/ohryan/teevee.

Contributions would be much appreciated.

If you have any questions or suggestions hit me up on twitter at @ohryan or email me ryan@ohryan.ca.

  1. TVML is this cool little XML apple created for basic layout – check out Apple’s documentation for more information. []