Recently, WordPress has come under heavy fire by a variety of sources. Some are just it’s usual detractors who have little “good” to say about it in general, others are die-hard fans of WordPress and the final group are the ones bent on destroying it. This last group are the ones who can ultimately affect you and your site.

Given WordPress’s popularity and growth as a blogging and CMS platform over the last few years, and it’s open source approach to development, it’s little wonder that it became a target for hackers. The full source code is published right there for anyone to look at, and sooner or later mean-spirited or predatory people would find ways to take advantage of it.

That’s not to say that everyone who finds vulnerabilities is evil. There’s a LOT of good folks out there who find flaws, bugs and exploits in software and diligently report them to the coders responsible. That’s why we get solid, robust software like WordPress, which, while not perfect, is generally fairly reliable.

WordPress 2.8.4 was released a while ago and it’s primary purpose was to patch a hole that allowed an attacker to reset the admin password. Much was made of this problem, including many erroneous reports that a hacker could thus gain access to your beloved blog and do more evil things. This was not true. The attacker could only force the system to reset your password and send you and email about it. Not exactly the stuff of nightmares.

The other item that was frequently tossed around at that time reported that this bug was introduced in 2.8.3 or another recent update. Again, untrue. This issue had existed in the codebase for some time, but was only recently discovered.

Finally, almost immediately following this round of talk about security, a malicious little worm started making it’s way around the web attacking older installations of WordPress. Versions 2.8.3 and 2.8.4 are not vulnerable to this attack.

The WordPress team at Automattic are very concerned about security as Matt Mullenweg wrote about here. They’ve introduce the automatic upgrade feature, and tried to make upgrading safe and painless but in the end, there’s only so much they can do. If users choose not to upgrade, install unknown and untrusted plugins, or modify core files, they can expect to have problems in the future.

There are now a number of good security plugins that will scan your WordPress installation (including themes and plugins) for potential security vulnerabilities, but in the end, keeping WordPress and your plugins upgraded is one of the best ways to keep your blog/website safe.