Drupal security updates generally come out on Wednesdays, to try to streamline everybody's time. WordPress security notices come out... well, whenever whichever feed you subscribe to bothers to announce something.
Today's notices showed some striking differences between the two communities.
Drupal module vulnerabilities
There were 4 Drupal contributed modules flagged with security bulletins. Of these 4, 3 of these were not fixed -- the module code was yanked from Drupal.org, and now any site that uses any of these modules has a big red warning "Unsupported module in use!" These were all modules I had never heard of, are not in widespread use, and now have been clearly marked as dangerous.
The 4th security update turns out had actually been fixed over 2 years ago, but the fix had not been released in a "stable" release. The vulnerability did look like a ridiculously easy-to-exploit, dangerous chunk of code, and it only affected the module in Drupal 7.
Searching our sites, I found we did not have any Drupal 7 sites using this module, but we did have 2 Drupal 6 sites that actively used it. So I rolled up my sleeves and looked at the code to find that the affected sections were not present in the Drupal 6 version, which solved the problem in a different way.
Unlike Drupal, there is no single source of notifications of WordPress plugin vulnerabilities. There are multiple companies that do security assessments, each with their own conclusions, and none able to signal to the wider WordPress community about a problematic plugin.
We subscribe to several of these community feeds -- and the tale we get is full of drama, conflicting stories, firms calling out each other for misleading information... and basically you're on your own when it comes to determining whether you're using a safe set of plugins.
But today took the cake:
We recommend that you uninstall the Captcha plugin immediately from your site. Based on the public data we’ve gathered, this developer does not have user safety in mind and is very likely a criminal actor attempting yet another supply chain attack.
... that's from a WordFence blog post outlining a security vulnerability they've highlighted in a module that was removed from the WordPress Plugin Repository -- not due to the security hole, but rather because of a trademark infringement issue. The WP Vulnerability Database shows it had a back door in it until release 4.4.5. WordFence is apparently unconvinced that the plugin remains trustworthy at all -- because the new maintainers have included similar backdoors in other plugins they manage.
Just to clarify what these backdoors do: they allow anybody with the "secret handshake" method to knock on your WordPress site's door to log in as a site admin, and remove the evidence they have done so.
It does get worse... Another of our regular sources, Plugin Vulnerabilities, has found over 6000 current installations of an actively attacked plugin that was removed from the Plugin Registry a year and a half ago, and abandoned 4 years ago.
No wonder WordPress has such a bad security reputation!
If you're running a WordPress site, and not actively using a security service or watching the security lists, your site is at risk! Our WordPress protection plan is a must for making sure site updates get done, with testing on development copies, and with solid backup management so we can recover if you have any issues.
Of course, we have a Drupal plan too...