The fallout over the automatic update of Yoast’s WordPress SEO plugin shows the WordPress community is suffering from a severe case of Developer Goggles. Background Yesterday (March 11th, 2015) Joost de Valk released a security update to the popular WordPress SEO plugin, currently running on over 1 million WordPress sites around the world. The release came after a responsible disclosure by Ryan Dewhurst of the WPScan team that detailed a significant and serious vulnerability in the plugin that could allow a hacker direct access to your database. In the immediate wake of the update several hosting companies specializing in WordPress started either updating hosted sites with the plugin automatically or put in place safeguards to prevent hacker incursions. Automatic Update A few hours after the initial release the WordPress.org team started rolling out an automatic (“forced”) update to all sites running the plugin. This means if you are using the WordPress SEO plugin you are now running the latest a secure point-release version whether you updated it manually or not. In other words your WordPress site is safe. While not entirely unprecedented this is a rare occurrence. Reportedly such
Share This