Mika Epstein has a way of being super logical and level-headed about everything. She has written a post in defense of the WordPress REST API — that really is applicable to security in WordPress in general — that I wish I wrote.
I highly recommend reading her entire post. We’ve been paying a lot of attention to security of late, rightly so. But It’s right to keep security in the right frame of mind.
Specifically, I think Mika’s methodology for thinking through security is well summarized in this passage:
Most of us aren’t capable of calculating the risk and reliability of WordPress. Those Six Sigma experts aren’t either. There’s no way I could actually explain well enough how to determine the risk of using WordPress. If I could, I’d start with asking people “What can go wrong if I disable automatic updates?” and “What can go wrong if I don’t disable automatic updates?”
The likelihood of the REST API being vulnerable is a little higher than other aspects of WordPress core, but much lower than plugins and themes. The consequences are generally higher than that of plugins and themes, but there’s an extra factor you must consider.
- How quickly can it be fixed?
If you leave WordPress auto-updates on, then the answer is “As quickly as humanly possible.” And that, I feel, lowers the overall risk.
The infrastructure for automatic updates was introduced in WordPress 3.7, and looking back, I think it was the most consequential decision for the longevity of WordPress as a viable CMS that’s been made to date.
When 3.7 was released, I said this:
Some have been skeptical of auto updates for WordPress, but I embrace them. Really projects like Chrome and iOS are pushing this concept forward to the mainstream, and it makes sense for WordPress to able to constantly improve silently as well. People just want their CMS to work. Nobody likes doing updates; no normal people at least. So long term, even major upgrades should get auto update treatment, and I think long term that’s what will happen.
This was a controversial statement at the time, and for some still is today. I stand by it.
WordPress is rightly user-centric. I understand the arguments for disabling auto updates. But the makers of WordPress, and plugins and themes that extend it, are ultimately responsible for ensuring compatible upgrades. Will there be bugs? Issues upgrading sometimes? Yes. Will it be a better, more secure piece of software? Yes.
Without auto updates, vulnerabilities in WordPress would be even more problematic. Even with them, unfortunately hundreds of thousands of websites have them disabled, opening them up to hacking and defacement when they could’ve been easily avoided.
The appropriate response is not to disable the feature that had the vulnerability (in the most recent case, the new REST API). In fact, it’s the absolute wrong approach. If the REST API is disabled by default, many of its benefits are then hamstrung, reducing the likelihood people will build things using the API, making it irrelevant, and reducing the likelihood of long term support for it. If off by default, it would die a slow death due to lack of use, and be even more vulnerable.
We should embrace new features, do our best to secure them, and when we fail, fix it fast.
WordPress core has a longstanding commitment to backward compatibility that helps with this entire endeavor. Too many big, important plugins make upgrade routines a significant challenge, and we should really consider these decisions when we make them, and provide ample runway and direction to help people upgrade properly when we break back-compat. It’s the only way to ensure trust in auto upgrades — knowing the site won’t completely fall over.
Auto updates and our insistence to all WordPress users, developers, and hosts that they are pivotal to the success of the platform is very important. Our stance should be: “Auto updates are how WordPress works. Build your plugins, themes, infrastructure, and processes accordingly.”
There’s a target on every WordPress website. You can’t be a quarter or more of the web without that target. Every potential exploit, once made public — and there will be many — will be taken advantage of. Rapid upgrades are pivotal.
WordPress will be safer. The web will be safer. It’s the right call.
