We at the New School blog use WordPress with some plugins. Recently, Alex brought up the question of how we manage to stay up to date. It doesn’t seem that WordPress has a security announcements list, nor do any of our plugins.
So I asked Twitter “What’s the best way to track security updates for wordpress + plugins? I don’t want to have to look at the dashboards daily.” Zot O’Helpful responded “Wait unil your site is hacked, then update.” Mark Adams commented that “I discussed WP recently with @markstanislav. We concluded that vulns are most likely to be in plugins, not the core.” Which is fine as far as it goes, but the vulns are more likely to be discovered in the core, and more likely to be widely exploited there.
But the question remains: how do others keep up with WordPress admin duties?
For bonus points, don’t discuss why doesn’t WordPress have a security announcements blog, twitter stream, mail list or anything else?