I love WordPress. The freedom it gives me in terms of both publishing and development has been wonderful. It’s provided me a means to provide for myself and my family for almost 8 years now. While I don’t agree with everything I see coming from the committers to the core and other areas, I very much respect them and the time, effort, blood, sweat and tears that they give without asking for a return. But yesterday I learned of something that caused me to pause. Then, as I thought about it and began to see details rolling in and more people find issue with it, it caused something very near to fear. A plugin that is used by a large part of the community, WordPress SEO by Yoast had security vulnerability and users were being asked to update immediately. Understandable. While that plugin has not had the best history of updates as you can read about here, it serves a purpose in the community that is needed. But that wasn’t the scary part. Plugins have vulnerabilities sometimes and we patch and update them. The scary thing and what caught me most off guard was that the plugin was updated automatically by the wp.org team. Without my consent. Read that last sentence again. Think about it a second.
Share This