UPDATE 2008-04-16: Well crud. I was just re-reading the WP 2.5 announcement post for something else, and spotted a bit about security updates between 2.3.3 and 2.5. So my previous advice about 2.3.3 being okay was incorrect. This is one of the areas where I disagree with the core developement team — if it was up to me, there would be a 2.3.4 security release for those who have good reasons why they can’t upgrade to 2.5 right now.
Okay, people, if you are running any version of WordPress older than 2.3.3 2.5*, you need to upgrade now. Seriously. WordPress 2.3.3 and older have security holes that are being actively exploited by hackers to inject spam links into blogs which are not maintained. And search engines like Technorati are de-listing hacked blogs. Are you listening now? Do I have your attention? Upgrade your web apps before you get hacked and your site drops off the search-engine radar.
While the Technorati article specifically talks about WordPress sites, this goes for any web application. You need to pay attention to updates which are released, and upgrade whenever a security probem is fixed. WordPress gets particular attention due to its popularity and the sheer number of installed sites out in the wild. But it is no more or less secure than any other similar web application. So whatever you’re running, keep it up-to-date.
And the same goes for any add-ons — if you install third-part plugins or themes, make sure you keep up with updates. WordPress 2.5 makes updating plugins easier than ever. Review your Plugins page from time to time, and pay attention when it tells you that a newer version of a plugin is available.
I see comments from people all the time saying that they don’t want to upgrade because it might break this theme or that plugin that they have installed. To those people, I say, GET OVER IT. The security of your site is important. If some theme or plugin is not compatible with a newer version of WordPress, ask the author politely to update it. Or find a replacement. Or live without it. I have in excess of 25 plugins active here. But there’s not one of them that I would hesitate to deactivate when it comes to security of my site.
There are several ways to keep up with new WordPress releases. The Dashboard shows you all sorts of news from the WP community, including announcements from the Development Blog. There are several mailing lists. If those lists are too noisy for you, you can get just release announcements by signing up on Freshmeat.net and subscribing to the WordPress Project. I normally submit the Freshmeat update within 24 hours of an official release.
* One exception is WordPress version 2.0.11 (or the 2.0 svn branch, more generally), which is maintained with security updates for the Debian package.
Hey dougal I know you recommend everyone to upgrade to 2.5 in this post but it looks like 2.5 had a critical cookie vulnerability, so to the people who are finding this post through google and other search engines should know that if they have old versions they should probably just upgrade to the NEWEST version of wordpress.
-Adrian
Well, this is a useful blog to read!! I totally agree, it’s better if we all update than being spammed unless you have the latest version of WordPress!!
I’ve given 2.5 and then 2.5.1 a shot and I’ve decided that I don’t like the flash uploader thing at all. Why use flash for something that used to work just great without it before?
I don’t like the new layout of the dashboard screens either. Everything’s in the wrong place, some things have been re-named and in general it’s made just about everything into more of a PITA than I would have believed.
I am now giving serious consideration to rolling back to 2.3.3 until there is a plugin or patch for 2.5.x that will at least give it the same look and feel as 2.3.3
[...] geek ramblings » Upgrade or else!furniture Bulgaria: [...]
[...] WordPress 2.5.1 is out, with a slew of bug fixes and one “very important security fix” which will reportedly be disclosed soon. It’s worth upgrading ASAP. You don’t want your blog hacked. [...]
[...] geek ramblings » Upgrade or else! – Tá rolando uma pressão para todos fazerem upgrade do wordpress. O principal motivo é que as versões anteriores são vulneráveis a ataques e SPAM. A coisa é tão grave que algumas ferramentas de busca estão parando de indexar versões antigas do Wor [...]
[...] everyone who emails me when they see adds showing up in my entries. I DONT HAVE ADS.) She sent me here and I braved the upgrade. I’ll let you know if I hate myself for it [...]
In a word WordPress 2.5 “sucks”
I upgraded to 2.5 two days ago from 2.3.3 and then I reinstalled 2.3.3. With 2.5 I had continual script errors when writing a post or loading the write page. Not to mention the major design flaws…like putting the delete post button next to the save post button.
I was also very annoyed at the amount of e-mails from my daily readers about their script error problems with loading the blog.
Technorati is the least of my concerns since they screwed everything with their 180 day rule and revised algorithms last year. They have about as complaints than WordPress 2.5.
Regarding my page ranking on Google, it’s very good. So your “or else” argument is really not credible.
Yes having gone through the horror and lost about 5 hours because I upgraded to 2.5 I’d rather wait and see if 2.5.1 is better.
As a podcaster having my RSS feed working is slightly important, so the fact that the supposedly ‘finished’ Wordpress zaps my feed in the new config, well I’d rather have something working and take the risk, rather than something flaky like the new WP.
And can you switch off those awful nags? Yes I know I ’should’ upgrade but I also know I ’should’ have a working blog. Sort it out.
[...] upgrade was smooth and mostly painless… as Dougal says “Upgrade or Else“. Indeed, while most of the spam was non-destructive, a handful of older posts seem to have [...]
Deleting websites from search engines is a very good way to let people upgrade their site.
Ugh — what about sites running Wordpress MU… They have really dropped the ball on supporting that one!
Hi Dougal,
I recently blogged about a similar topic to yourself here, and a number of readers commented about that their installation of WP 2.3.3 was hacked. It appears more like it is a server hack then a WordPress hack, but I thought I’d let you know. Keith from unTECHy mentioned it to me in his post (http://www.untechy.com/huge-exploit-in-wordpress)
[...] not to upgrade can have some serious consequences for your site, and one of those is being taken out of the Technorati indexation [...]
Agree with the author, security is not a majority of concern until your site were intruded.
I prefer to use plug-ins as less as possible to avoid upgrade problem. However, WP2.5 comes with auto upgrade plug-ins functionality. It awesome!
The plugins I use are vital to the function of my blog, to the way information is posted and presented. My blog would be markedly inferior without a couple of them and could hardly be the same. Most of the plugins, sure, they represent conveniences I could live without, but a couple of them are crucial enough that I prefer not to upgrade and live with the risk, because those plugins are reported not to work with upgrades.
It’s a rock and a hard place.
FWIW, I posted a similar comment earlier… but it’s not here. Not sure if that is because of moderation, deletion, or pilot error.
I’ve only read a few comments but it seems that it’s a fight between the average Joe, who can’t fix the bugs, and the developers, who can. I’m of the latter group so upgrading is no problem but for the average Joe, they possess neither the time nor the knowledge to sift through the code – it’d just be easier not to upgrade.
I don’t think it’s better to wait till a later version for bug fixes because the code differences will be even greater so there’s a greater chance of plugin/theme incompatibilities. Instead, I’d recommend checking the compatibility of the plugins and themes installed and upgrading based on that information.
And with any big upgrade like this, always check on a local installation!
I love it. I 100% agree!
I blog for some big blogs who are still running 2.3.1 and no matter how many times I tell them they will NOT upgrade.
Hope people listen!
I installed WP 2.5 fresh on my site and loved the new features so much that I convinced my client to upgrade his site. It was a breeze, even though he was running something like 2.2.* Thanks for this article warning about the dangers of not upgrading. I will keep this in mind with my work with WP as well as other applications and plugins!
I would like to upgrade. I am eager to upgrade.
But I have some plugins that are key to the way my blog functions, and I gather that they have not been updated to work with newer versions of WP. For example, if I did not have “Postie” and “Category Visibility” plug-ins, my blog would be a different and much inferior place. I simply do not know how to do some very important things that my blog does without those plugins.
The risk of them not working with an upgrade is higher to me than the risk of being hacked.
For those that are more concerned about their plugin compatibility than security: Your plugins won’t count for squat if your site is hacked. A new lock installed on your front door may require effort on your part to install, but if your house is robbed you will expend a great deal more effort. Simple risk analysis. Plus, if your hacked site is used to attack other sites, you’re going to risk upsetting many other admins who take the time to do the right thing. It makes you look stupid. But maybe you think stupid looks good on you.
For those that complain about the number of bugs in new WordPress releases: Last I checked WordPress was free. But that’s still not enough for the Entitlement crowd. By golly, some want PERFECT SOFTWARE DELIVERED RIGHT EVERY TIME (AND FREE, FREE, FREE)! Perhaps you should code your own blog software then. This is exactly the attitude that will weaken free software & open source projects. Generous developers will eventually decide that they can’t please all the whining freeloaders all the time and will eventually (and rightfully) retire to the Bahamas for some much needed downtime.
Props to the WordPress development team! I’ve never seen an easier tool to manage my website with or so easily upgrade. I’m proud to use it and brag to others that I use it. Thanks for giving so many of us a voice in the wilderness.
[...] Inspiración | Geek Ramblings [...]
I think one thing that people are missing on this is where the responsibility falls. If the problem is with a customization done to the trunk software, how is that the problem of the developers? I mean, let’s be reasonable here. The developers can’t write code *and* test it with every single available plugin. And, frankly, I think it’s unreasonable to ask them to do so.
I have a test installation of WordPress, both locally and on my webhost, so that I can verify everything works the way I want it to work *before* I let it go live. As an owner/operator of a website, it is *MY* responsibility to test the software that I use before I make it live on my site. If it doesn’t work the way I want, then I don’t make it live. I tinker with the code in a test environment until I’m satisfied, then I make it live.
If that’s too much work, then there’s always Wordpress.com, where they test things for me. In fact, one very nice young lady I know on-line moved her blog there because it was too much work for her, even with my help. Now, she seems quite satisfied with how it all works. No problem.
So, what’s the issue people are having problems with? Is it just too much work to test new software before using it? Seriously?
Found this post AFTER upgrading to 2.5 because … my 2.3.3 blog was attacked just as you mention in your post – not once, but twice in the past month. The first attack was barely noticeable since the injected code was just added to my existing code. I only caught it because the title was made blank and the categories were set to misc. That was an easy fix.
A month or so later the entire contents of a post were replaced, leaving only the title. Comments were disabled for that post.
I saw reports of SQL injection attacks and figured I should upgrade.
Fortunately, I only have two plugins enabled (SecureImage and Force Word Wrapping) and they seem to be working fine. As well my theme seems to be ok.
Of course, now that I’ve upgraded and read that there were no major fixes from 2.3.3 to 2.5 … am I going to get hacked again?
“I see comments from people all the time saying that they don’t want to upgrade because it might break this theme or that plugin that they have installed. To those people, I say, GET OVER IT. The security of your site is important. If some theme or plugin is not compatible with a newer version of WordPress, ask the author politely to update it. Or find a replacement. Or live without it. I have in excess of 25 plugins active here. But there’s not one of them that I would hesitate to deactivate when it comes to security of my site.”
Umm, yeah, as long as actual content isn’t affected. For some, this analogy might hold: Your OS vendor puts out a new version to fix security. But the upgrade will disable 50% of the keys on your keyboard. Do you upgrade regardless? Depends on how you use the computer and what you do with it, I guess. For some the plugins make WP. I use WP because it makes the process easier, but I could just go back to writing my own pages and avoid using WP, ya know, for security reasons.
Anyhow, here’s to hoping 2.5 prevents the injection attacks.
One of the reasons why non-English WP sites don’t get upgraded quickly is the delay in translation. Usually it is one volunteer (per language) who tries to keep up with WP releases (+plugin releases). In my native language the latest translated WP version is 2.2.3. Waiting for the 2.5…
I feel that Automattic could do a nice job in enabling some sort of collaborative on-line translation facility for new versions of WP. I know that there would be several local volunteers capable of sharing the work load, but we haven’t found a practical way of doing it on-line, in a distributed manner.
Any hints how we could make it happen?
ok
Sorry to say but i have to stick with 2.3.3 cause my hosting doesn’t use Apache… it has light… and 2.5 don’t work well if you don’t update light to 1.5 beta… wich in my case they won’t do until final release….
DAMN!
Upgrading themes can take awhile, sometimes they change just a little thing in the templates but I like to make sure none of my custom templates will be broken. I’ve always waited at least 3 days after a release to upgrade. I’ve seen lots of Open Source apps come out with a patch 1 or 2 days later because they found a major security hole, or forgot an important file or forgot to update something. Nothing against open source apps or any of the developers, things happen, and its very understandable. Some apps change very fast which can be good or bad. Good in that new features are being added, and bad in that you have to update constantly.
Until last week I ran 2.2.x because, well, I just roll that way. Personally, I think that if your going to get hacked… you’ll get hacked regardless of which version of Wordpress your using.
Saying that, 2.5’s posting page does render a LOT quicker than 2.2’s did and seems less bandwidth hungry… speaking as someone who pays for stuff like that… bonus
[...] Upgrade or else!: Okay, people, if you are running any version of WordPress older than 2.3.3*, you need to upgrade [...]
[...] a good number of changes done both behind the scenes as well as with the user interface, though the security upgrades seem to be the most [...]
Updated
[...] been running this blog on WordPress 2.2.x for some time now, but after reading several warnings about Technorati (and possibly others) planned index exclusion of vulnerable blogs [...]
[...] has been said about the inadequate security of old versions of WordPress. It was even announced that Technorati will not index vulnerable [...]
[...] like Technorati, are starting to react. Mark Ghosh over at the Weblog Tools Collection and Dougal Campbell at G33k Ramblings both wrote about an announcement from Technorati, one of the larger blog search engines, announced [...]
I’m one of those that got hacked. The title of my site referred to someone else’s site. It took me a full day to figure out how to fix my site. In the end I discovered that someone was manipulating the “All in One SEO” plugin. I deactivated the plug-in, I can live without it, and the problem was resolved.
Instead of upgrading to a newer version, 2.5 was about to be released, I replaced my xlmrpc.php with the newer version. And everything seems to be fine. Although, my last upgrade went fine, I’m always queasy about doing upgrades. I’m going to give 2.5 a few more weeks before I upgrade.
Hope the Info helps.
[...] There’d been numerous reports of security issues with earlier versions of the application (thisis but the latest), so I simply had apache and mysql turned off as a preventive measure. Yes, it [...]