

Wordpress 3.0.2 security update ... - epo
http://wordpress.org/news/2010/11/wordpress-3-0-2/

======
patio11
You can craft a SQL injection by linking to a blog with the right URL, thus
causing Wordpress to attempt to ping them and, in doing so, directly execute
your SQL statement of choice against the DB.

<http://core.trac.wordpress.org/changeset/16625>

------
lsb
Wordpress has had lots of security issues; see tptacek's comment:
<http://news.ycombinator.com/item?id=1328261>

Given their prioritization of ease-of-use over security, why would anyone want
to run your own WP install, instead of wordpress.com or jekyll (static site) +
disqus?

~~~
tptacek
A reasonable way to get the best of both worlds is to mirror WP content as
static files on a webserver, keeping all of Wordpress --- _all of it_ \---
behind a firewall. Most of WP, besides search and commenting, is amenable to
scraping.

~~~
quicksilver03
How would you do that? Would a simple 'wget --recursive' suffice or you're
after something more sophisticated?

~~~
euroclydon
Turn on Super Cache which uses the file system.

Spider the site to populate the cache files.

Copy them to a public web directory.

The internal links might not work right out of the box, but I'm sure you could
massage them into shape.

------
tibbon
Remember that you can easily use SVN to update your wordpress installations
with a single line. I've yet to have a problem with doing it this way. I wish
they'd move to git officially (I know there are some mirrors), but this does
the trick for the most part. Someday.

------
simonsarris
Thanks muchly for the notice.

------
aschobel
Can anybody recommend a good 3rd party WP hosting service that lets you run
your own custom plugins? I'm tired of spending engineering resources managing
our own WP instance.

