Anthony Ferrara discovered a significant security vulnerability and an even more fundamental security flaw in WordPress.
The correct fix is to ditch this whole prepare mechanism (which returns a string SQL query). Do what basically everyone else does and return a statement/query object or execute the query directly. That way you can’t double-prepare a string.
It’s worth saying that this would be a major breaking change for WP. One that many other platforms have done successfully (PHPBB did this exact thing, and went from having massive SQL Injection vulnerabilities to almost none).
WordPress has made great strides in modernizing and hardening core. I really had no idea WPDB was still in the dark ages! For shame!
Read his post for all the gory details.
So you just launched a WordPress site for your business, everything is up and running. Pages load quickly, SEO is better than ever, you paid your development team. Now you’re all set for the next few year, right? In an ideal world, this would be true. Unfortunately, the Internet is a dangerous place and software… Continue reading How to Keep Your New WordPress Site Running Smoothly
Dear WordPress.org, Get your shit together! It is 2016, there is no excuse for allowing any plugins with insecure code to make their way into the plugin directory. Full stop. The story about Custom Content Type Management stealing admin credentials and other shenanigans, is utterly pathetic. I’d bet this incident is just the tip of the… Continue reading Dear WordPress Get Your 💩 Together
Earlier this week, influential British designer Sazzy wrote a blog post entitled The Elephant In The Room about the depressing state of freelance web design. While not directly related, her post got me thinking about the current plight of the back-end developer inside the WordPress universe. Over the past 3 or 4 years I’ve focused… Continue reading The Role of Developers in the WordPress Community
Imagine you create tonnes of great video content every day and publish it all through WordPress. Your viewer can watch your amazing shows everywhere…on iPhones, iPads, iMacs, but not their TVs. Wouldn’t it be great to have a branded Apple TV app so that all your viewers could watch your content in full screen glory? Well… Continue reading TeeVee for WP: building Apple TV apps with WordPress Plugins