WordPress tends to take a light-handed approach when it comes to managing the legions of plugins that are compatible with the most popular blogging platform on the planet. This time, however, they’re taking a different approach. They’re forcing a security update to counter a dangerous bug in a wildly popular plugin that’s being used by more than a million websites around the world.
The plugin in question is Loginizer, which was designed to help websites fight back against brute force attacks by blocking the login function for a given IP address once a certain threshold of login retries has been reached.
It’s an indispensable plugin, honestly, but researchers discovered a fatal flaw in it in the form of an SQL injection issue. The issue could have allowed a hacker to take complete control over the site running the older version of the plugin, thus, WordPress’ decisive action, which forces an update on everyone who uses it.
While we normally don’t approve of such heavy-handed measures, in this particular instance, we feel it was justified. Had the company not taken the action it did, users would have been slow to update the plugin, and many may not have updated at all, or even been aware there was an issue. This way, everyone is protected, and it happened quickly, in an organized manner.
In an ideal world, some other solution could have been implemented, but then, in an ideal world, hackers wouldn’t abuse security flaws and loopholes in the first place. Here, WordPress made the best of a number of bad decisions and took swift decisive action designed to keep their massive user base safe and protect their brand image. While it’s less than ideal, we applaud the company for their efforts.
If you use the plugin in question, just be aware that you’re getting an update whether you want one or not. In this case, that’s probably not a bad thing.