When it comes to the problems with cyber security one of the issues we see is that the wrong people are often getting the blame for its poor state.
WordPress frequently gets unfairly criticized in a security context, while in a lot of ways they are really at the forefront of improving security of web software. Take for example the automatic background updates feature that was released back in WordPress 3.7, which allows for security fixes to be applied million of websites quickly without requiring any user interaction.
On the other side are security companies that seem to in a lot of cases care little for security and in some cases seem to peddling false hoods to increase their profits. One such recent example where a security company didn’t seem care about security was with Trend Micro, which had a password manager included with their antivirus software that had incredibly severe security issues.
When bring these to two examples up because they come to together with something we noticed recently. Trend Micro’s blog recently is running an outdated and insecure version of WordPress:
WordPress 4.5.1 was released on April 26 and 4.5.2, which fixed two security issue, was released on May 6.
Seeing as those versions would normally have been applied automatically within hours of their release due to the automatic background updates feature, either Trend Micro unwisely disabled that feature or some bug is stopping that from happening in their case. If it is the later then Trend Micro could actually help to improve the security of WordPress websites by working the WordPress developers to resolve that, so that others impacted by the issue could also start getting updates.
Looking at the source code of the blog homepage’s you can see that at least one of their plugins is also not up to date:
<!– This site is optimized with the Yoast SEO plugin v3.2.3 – https://yoast.com/wordpress/plugins/seo/ –>
The latest version of the Yoast SEO plugin is 3.2.5 and that version fixed a very low severity security issue (the current version of that plugin has at least one other security issue that is fairly obvious if look into the vulnerability that was fixed).