Dougal Campbell's geek ramblings

WordPress, web development, and world domination.

Upgrade or else!

UPDATE 2008-04-16: Well crud. I was just re-reading the WP 2.5 announcement post for something else, and spotted a bit about security updates between 2.3.3 and 2.5. So my previous advice about 2.3.3 being okay was incorrect. This is one of the areas where I disagree with the core developement team — if it was up to me, there would be a 2.3.4 security release for those who have good reasons why they can’t upgrade to 2.5 right now.

Okay, people, if you are running any version of WordPress older than 2.3.3 2.5*, you need to upgrade now. Seriously. WordPress 2.3.3 and older have security holes that are being actively exploited by hackers to inject spam links into blogs which are not maintained. And search engines like Technorati are de-listing hacked blogs. Are you listening now? Do I have your attention? Upgrade your web apps before you get hacked and your site drops off the search-engine radar.

While the Technorati article specifically talks about WordPress sites, this goes for any web application. You need to pay attention to updates which are released, and upgrade whenever a security probem is fixed. WordPress gets particular attention due to its popularity and the sheer number of installed sites out in the wild. But it is no more or less secure than any other similar web application. So whatever you’re running, keep it up-to-date.

And the same goes for any add-ons — if you install third-part plugins or themes, make sure you keep up with updates. WordPress 2.5 makes updating plugins easier than ever. Review your Plugins page from time to time, and pay attention when it tells you that a newer version of a plugin is available.

I see comments from people all the time saying that they don’t want to upgrade because it might break this theme or that plugin that they have installed. To those people, I say, GET OVER IT. The security of your site is important. If some theme or plugin is not compatible with a newer version of WordPress, ask the author politely to update it. Or find a replacement. Or live without it. I have in excess of 25 plugins active here. But there’s not one of them that I would hesitate to deactivate when it comes to security of my site.

There are several ways to keep up with new WordPress releases. The Dashboard shows you all sorts of news from the WP community, including announcements from the Development Blog. There are several mailing lists. If those lists are too noisy for you, you can get just release announcements by signing up on Freshmeat.net and subscribing to the WordPress Project. I normally submit the Freshmeat update within 24 hours of an official release.

* One exception is WordPress version 2.0.11 (or the 2.0 svn branch, more generally), which is maintained with security updates for the Debian package.

About Dougal Campbell

Dougal is a web developer, and a "Developer Emeritus" for the WordPress platform. When he's not coding PHP, Perl, CSS, JavaScript, or whatnot, he spends time with his wife, three children, a dog, and a cat in their Atlanta area home.
This entry was posted in Blogs, Search, Security, WordPress and tagged , , , , , , , , , . Bookmark the permalink.

95 Responses to Upgrade or else!

  1. Pingback: WordPress 2.3.2 and older have security holes - upgrade now « propaganda press : PPP Civic or yuh life Guyana!

  2. Pingback: » Possible Massive Blog Hacking Scheme Unearthed? (Fiat Lux)

  3. Pingback: PsychoPhil - Beer is History

  4. Pingback: als Spamer geflaggt wegen …

  5. Pingback: Upgrade or Else! « will.ph

  6. Pingback: Vulnerabilità della sicurezza di WordPress

  7. Pingback: Interactive Media Tips » Blog Archive » Upgrade Your Installations… now.

  8. Pingback: Vulnerable Software and Vindictive Search Engines | Blueprint Design Studio

  9. Pingback: Scattered » Upgrade or else? - Wordpress 2.2.2 Security Issue

  10. Pingback: What Da Phuk! » Blog Archive » Upgrade Time

  11. Pingback: Blog do Cleuby

  12. Pingback: Jason’s Random Thoughts » Blog Archive » Stop Trying To Scare Us Into An Upgrade!

  13. Pingback: A return to scheduled programming | Deskpoet's observations

  14. Pingback: gordon.dewis.ca | Upgrade or be dropped

  15. Pingback: The dust settles on a blog upgrade – Alex’s Ramblings

  16. Pingback: Blogvaria » First date with WordPress 2.5

  17. Pingback: Derek Meister's Online Journal

  18. Pingback: paran0id’s blog » Blog Archive » Wordpress - Upgrade OR Else…

  19. Pingback: ¿Actualizo a Wordpress 2.5 o no? |Ayuda WordPress

  20. Pingback: WP Thoughts » Blog Archive » WordPress NOT Coming Here Soon

  21. Pingback: New look, less spam

  22. Pingback: misszoot.com » No. I Still Haven’t Upgraded. Please Forgive Me.

  23. Pingback: Rapidinhas entre 26/03/08 e 20/04/08 | Caraca Maluco!!!

  24. Pingback: WordPress Update & Plugin Request | K-Squared Ramblings

  25. Pingback: Shuttworld.co.uk » Blog Archive

  26. Pingback: Checking Your WordPress Security

  27. Pingback: WordPress Güvenli?ini Sa?lay?n - Harbimi.NET

  28. Pingback: Upgrade or else! | Back in a Bit

  29. Pingback: Rapidinhas entre 26/03/08 e 20/04/08 | Caraca Malluco

  30. Pingback: A return to scheduled programming | Deskpoet's observations

Leave a Reply

%d bloggers like this: