WordPress Hack Security Issue

(directorial credit: Leftjustified)

Looks like according to Dr Dave of Spam Karma an security hole or hack using guest accounts on WordPress.

Those running WordPress are highly recommended to goto ‘Options’ in your control panel and unclick ‘Anyone can register’ for the time being. All installs of WordPress and those not using Spam Karma should do this.

Sounds like WordPress is working on it but the releases aren’t out there or fixed yet. I have total sympathy with Dr Dave’s issues with WP team’s speediness/mixed response, I had dealings with them over the multiple enclosures and not being able to delete an enclosure issues (standard default response: “It’s supposed to be like that” – what even not being able to delete the enclosures?!?)

I gave up on a fix or functionality to fix the multiple enclosures after nearly a year and installed this plugin not from WP which works like a dream.

Not impressed by the WP dev team or how they do things…

EDIT: Interesting how I wrote this before seeing my concerns echoed here and here…yeah it’s all internal politics, and I still thing WordPress is the best tool around (better than Livejournal apart from the social side and ‘friends’ postings) but the commercial side to WordPress worries me…and I see of this reflected on a bigger scale in the current ‘Web 2.0’ VC feeding fest, and maybe affects how they interact with people?

But maybe that’s for another post. Especially including Podshow+ aping like Myspace…;-)

The important thing though, with either PHPBB or WordPress or any open source product is to update regularly…in the case of WP I have to give credit it’s fairly easy (could be better, fiddling around finding the path to the ‘Upgrade’ link is no fun) but PHPBB is a bitch…

EDIT 2: WordPress 2.04 has been released to fix this issue – I’d recommend you upgrade ASAP. I will when I get the chance.


  1. July 28

    Glad you’re using my plugin. I wrote it only out of desperation and assumed it would be obsolete within a month once they figured out how to fix the problem. But since they don’t consider it a problem the need still exists. The reason you can’t delete enclosures is that the enclosing is done automatically and in the very last phase of saving a post. You actually do delete the custom field for an instant, but it’s recreated immediately after that. And it’s supposed to work that way?

  2. July 28

    It’s a great plugin! Thank you.

    That’s the response I got…I even brought in Dave Winer and he emailed Matt copying me…I didn’t care what was ‘the right way’ as long as I could delete an enclosure, either a button or switch or fixing the issue or whatever…

    Funny thing is the developers (on that issue anyway) rather than saying ‘oh this is what the users want, we’ll add the functionality or fix the problem’ they seemed to close ranks or ignore us. Not helpful…I know of people who intentional BROKE their WP installs to solve this issue….they were that desperate.

  3. July 28

    Thanks for the support and glad to see my position is somewhat understood by some… I’ll refrain from commenting any further on developer/user relations in WP (and other projects), because it feels like that’s all I’ve been doing all the time, and frankly, I aspire to other things in life, but trust me: I feel you…

    Regarding the pic above, it seems my anti-hotlinking script is preventing it from displaying properly, but feel free to download it and use it for your own purpose… It’s not even my own but I’m pretty positive Leftjustified won’t mind as long as credit is left.


  4. July 28

    I’ve changed the image – thanks for letting me know!

    And I’m really glad you let us know and prompted this, and thank you for Spam Karma 2 – as you can see 17,000 spams and counting, and before I had to delete every one! It’s not 100% successful but even 95-99% saves me so much time.

    And I thought you were so right to do this, as you’d done the official channels and were getting no luck and havign experience of those support/dev channels too…it’s sad though you have to huff and puff to get a response though, isn’t it?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.