Clearly, WordPress are making some people lovely amounts of money.
I recently approached a web designer/consultant to see if his WordPress customers would be interested in managed, secure installations of WordPress.
He suggested they had zero interest. They were interested in paying a few USD per month for hosting and he was interested in a WordPress install that was fully compatible with a default install. His idea of securing a WordPress install was to install security plugins.
I’ve always assumed the automatic update is used by people who manage their own, very simple, Wordpress installations (typically people whose sysadmin skills may be limited). That said, the solution offered to such users should be secure and, considering it’s relatively easy to implement, it’s odd that the Wordpress team haven’t improved things.
Speaking of which, it’s quite scary how many times I’ve seen successful “web agencies” who don’t use good tooling to manage the Wordpress installations they deploy for clients…
Having worked for a couple agencies I can tell you that, outside of the developers, no one knows how WordPress works, or cares. It’s a tool that does it’s job of making websites and getting the customer to pay.
I’m kinda surprised the Wordpress community hasn’t leveraged containers a little bit more. I’d think that you could put together a reasonably secure, locked down Wordpress environment using Docker fairly easily, given the built in isolation between components and what is allowed to be accessed from the outside.
Note that I realize that the benefits containers bring to the table are not in any way related to the vulns raised in this article.