It’s time to rethink how we bundle plugins with WordPress themes, and give our endusers the benefit of the doubt that they are smart enough to do some installations and updates on their own.
It’s a little long and techy, but Leland (@themelab) linked to a very disturbing post about timthumb, a script that resizes images and generates thumbnails for use with themes. The vulnerability is fixed, and anyone who updates the timthumb script would be safe.
“Anyone who updates the timthumb script.” And herein lies the problem: that script has been bundled by theme developers for years. Most of the people who download these themes will never know that they are running an old, vulnerable version of timthumb. Some might not even know how to update these. Some have purchased themes based on memberships that may be expired.
There are millions upon millions of vulnerable copies of the script out there, and not enough technically able users who can update this. There’s a fix for this moving forward, but it’s extremely politically incorrect.
Eliminate, as a matter of choice by theme developers, the bundling of plugins.
Instead, devs should include checks in their theme that look for the required plugins, and display a nag message in the admin linking to the WordPress plugin repository. Something. Anything. But not how it’s done today. Because, once a plugin is in the repo and a vulnerability is found and fixed, the developer can mark it as “updated,” which itself produces a nag message in the admin screen to update the plugin.
The architecture exists for issues like this to be avoided entirely. The counterargument—that “users” are too dumb to install a simple plugin which they can find in the repository without even leaving their own admin screens—is pure bullshit. It’s parochial and condescending for a developer to think this way.
WordPress has taken down technical barriers to entry. Despite that, we all need to call upon users to better themselves: to understand the basic basics of running a WordPress-powered site, no matter how “non-technical” they say they are.