I feel sorry for the WordPress developers, but I feel even more sorry for their users.
Over the past year WP users who have been keeping track of updates etc., have had to update and upgrade their installs so many times that it's not funny.
The way I see it WordPress users fall, broadly speaking, into two main categories:
Casual users want a CMS to use for their website or blog. They like the way it's easy to install and they've heard good things about it. Lots of webhosts offer easy installers for WordPress.
Lots of designers like working with the WordPress templates.
Neither the casual user or the designer is going to be signed up for security alerts from Secunia or Security Focus or any of the other security sites.
Geek users are probably more likely to play with stuff and are probably going to install lots of plugins.
Now a hardcore geek might check into the source of a plugin to see if the code is "sane", but the average blog jockey probably isn't that concerned with security.
They're not going to worry about the security holes that CMS with php code in its templates could actually cause.
Why would they?
So WordPress has had security issues in the past.
Surely the latest version resolves all of these?
Surely a major update would bring more than just eye candy?
According to Security Focus WP 2.5 is open to SQL injections.
What does that mean in English?
It means, simply, that an evil person could inject data into your blog's database ie. content
There's a longer article discussing some of the implications over here with some back and forth between the author and Mr WordPress - Matt Mullenweg.
In typical fashion Mullenweg tries to attack the author instead of addressing user concerns.
A simple "we aren't aware of any issues" or something along those lines would have been so much more graceful, but no, that was not the case.
I'm no longer a WordPress user, so I can't tell first hand, but is there a glaring big flashing light going off on WP installs if the software is out of date and needs to be upgraded to address security issues? Is there?
Open X has had that for ages. It practically forces you to upgrade as soon as you login to an out of date install. They also don't mind telling users about security holes, instead of adding them as an afterthought.
Now whether or not the latest security hole is a real danger or not is irrelevant. It doesn't matter. Seriously.
What does matter is that people trusted WordPress, but are now being embarrassed when their sites are defaced or hijacked
Transparency and honesty nearly always win out and taking a proactive stance on webapp security should be part and parcel of any developer's modus operandi. Shiny interfaces may help the bubble 2.0 crowd, but when the bubble bursts it would be nice to see things with a proper foundation.
(And WP isn't the only webapp with a dire security history - I'm looking at you Joomla and you PhpBB)