On WordPress Security, or Where is WordPress 1.5.2.1? 18 years, 8 months ago by Martey Dodoo

Regardless of what you think about Microsoft, it is clear that they are interested in improving their products' security. One of the innovations to come out of this focus is the creation of "Patch Tuesdays," the second Tuesday of each month. This is the day when Microsoft release security updates for its various products, including Microsoft Windows.

Why is this important? Before Patch Tuesdays, it was impossible to know whether your computer was missing the latest updates to Windows without manually visiting the Windows Update website. As a result, computers would often remain unpatched for months at a time. In this modern atmosphere where worms being released days after exploit code becomes available and 0-day Internet Explorer exploits, a computer which is not updated immediately after the announcement of updates is in extreme danger.

What does Microsoft Windows, a operating system, have to do with WordPress, an online publishing system? Well, use of both is widespread. More importantly, I use both applications (although I enjoy the latter far more than the former), so where either of them suffers from a security problem, it affects me.

Earlier this week, I read about the release of WordPress 1.5.2 on Chris Gonyea's website. Afraid of falling victim to the security problems that the new version promised to fix, I immediately navigated to the WordPress website and downloaded it. I felt safe.

Yesterday, while reading comments on mobile guru Russell Beattie's shiny new WordPress blog, I ran across one by Marc Abramowitz, which directed me to a post on his site and then a post by Stefan Esser. One of the bugs that was supposed to be fixed in WordPress 1.5.2 still existed in the released code. In response to a bug report by Esser, the WordPress 1.5.2 files were updated. However, the version number of the files was not updated. Abramowitz writes,

I would humbly suggest that the WordPress developers refrain from this practice for future issues. There is no shortage of version numbers and although it's a little bit of hassle to bump a version number for a minor change, I think that it's the necessary thing to do when so many people depend on this software.

I think, if anything, Abramowitz is not being hard enough on the WordPress developers. Had the problem been an "normal" bug, like the ones that affected WordPress 1.5.1, updating the existing packages without increasing the version numbers would be reasonable. However, since the issue fixed was a security problem, it is extremely important that everyone who had already downloaded the problematic version of WordPress 1.5.2 upgrade. The note on the WordPress development blog that "If you upgraded late Sunday night double-check that you have the latest version of wp-settings.php on your blog" does not cut it. People who had already upgraded would have no reason to refer back to this item because they would assume that they had the latest version.

It is worth noting that this is only a problem because of WordPress' reliance on the online distribution method of downloading. Software like Microsoft Windows that is distributed by CD is mastered (going "gold"). After a master CD is created, no changes are made. If a problem is found, it has to be resolved by an update.