WordPress Exploits and Patches


Fire escapes

I’m a big fan of WordPress, except for tonight when I’ve finally decided to conquer the random blog spam that has been happening to some blogs I administer. “WordPress Cookie Authentication Vulernability.” It’s an invisible kind of CSS appended to the bottom of a post, as a form no less. The realization is that the security in WordPress is not too hot. Something about a stored double MD5 hash, and hackers compromising the cookie of the stored passwords, and not even having to resolve the MD5 hash but simply repost it as a cookie on their system and re-access the administrative site, where they can manage a lot of things.

Anyways, the patch I want to apply is not for the version we have installed- do I go with an unstable beta version (2.4b) or do I stick with 2.3.1 and manually change files line by line instead of applying the patch, or, do I wait until 2.4 is officially released? Oh the conundrums of open source.