Upgrade or else!

One thing I haven’t figured out is how to tell whether my WordPress install has been hacked using the pre-2.3.3 exploits.

I upgraded to 2.5 last night from 2.3.2; is that sufficient to fix any potential hacks that might have occurred? Or do I have to go ferret them out and remove them (whatever they are)? If I do, how do I do so?

Although, digging a little deeper, it sounds like it’s not clear anyone else knows how to do this, either, but the Weblog Tools Collection hopes to figure it out and post some tips on it sometime.

Hi yes if a plugin doesn’t work it is not so necessary,

but if you can’t use your blog after upgrade to wp2.5 it does matter,

wp 2.5 is only for people who have the newest webspace and best provider ..

regards

Monika

Haven’t you noticed that each new iteration of Wordpress introduces 2 security holes for every one it “fixes”? Sure, upgrade. And then in a few weeks you’ll be hearing about the horrible security holes introduced in THAT version of WP and how you must “upgrade” immediately etc etc – and it goes on and on forever. I’d like the WP developers to try to get right for once instead of concentrating on new features most people don’t care about anyway.

I upgraded from 2.0.??? to 2.5 for just this reason. Well, the security issue, not the Technorati issue. I use a theme that I customized without issue, save for having to replace an older plugin with one that worked with 2.5 for the fancy-schmantzy titles and cleaning up some code for the TimeOfDay plugin that gives a generalized time instead of the precise time the post/page was published. But, in the end, neither of those were absolutely required to run my blogs. They were *wants* not *needs*.
Frankly, I’m curious as to what other breakage might occur with themes outside of customization like that. After all, it was customized once, so it can be customized again. And, I’d never go live with something that I hadn’t tested anyway. At least, not if it was truly important. If *my* customization was important enough to worry about, then it’s *my* responsibility to test it properly before committing to it on *my* live site.

Upgrading is too complicated for me. I wait until everything is totally bug free, as I can’t afford to figure out bugs/plugin incompatibilities etc. I’d rather have an old version. I’m waiting for a oneclick upgrade.

I’m OK with waiting since 2.3.3 doesn’t have any security issues (as far we know). Just like another poster stated, as soon as we upgrade, there’s a bug fix 2 or 3 months later. I don’t think that it is dire to upgrade right now unless other people are using older versions of wordpress with known security issues. I know I want to upgrade, but I want to upgrade a stable version of 2.5. Waiting a couple of months or more isn’t unreasonable. I understand what you’re saying but a lot of us like to sit back and wait and make sure.

There is a one click upgrade, via the Automatic Upgrade plugin. worked perfectly for me. Alas, 2.5 is broken in one important respect. It seems to prevent uploading and using images in many cases. I’m still waiting for a fix to that, and I cannot go back to the older version.

um… interesting customer service approach.

Maybe the ‘get over it’ should be:

“Wordpress doesn’t Work.”

Glad to read that 2.3.3 is still alright (for the moment) One of my non WP blogs has just been upgraded (by me) to Wordpress 2.5. I’m having trouble with the admin interface already – where’s the ummm… Plugin Options page? The interface used to be so intuitive >_< I don’t think I’m a newbie user of WP, but this has me quite baffled! (*is aware that there are alternative interfaces available for d/l*
)
The other one will still stay at 2.3.3 for the moment. Like others have pointed out, for some websites, the plugin makes up alot of the site content. I know for a fact that this doesn’t quite apply to my current site (but does to another one in development) but I still don’t want to go through the hassle of 2.5 only to have to patch it to 2.5.1 immediately because of upload issues etc.

I gave in and upgraded, coward that I am, I’d been hoping to wait a bit longer, but I decided to be brave and just do it. It’s incredible, I love it. Even the theme I lovingly cobbled together last year didn’t break. I did a little dance at my desk, I was that thrilled.. there’s just one little problem, it’s not much but wanted to ask on the off chance there is something I can do to resolve it? On the dashboard, the link to “view site” floats over the link to “write” posts. I’d appreciate any info.. though I could live with it if I have to.

OH yes, I upgraded one of my blogs to 2.5. Hated it. The admin inteface seems designed to favor promotion of the developers blog feeds over functionality to the nth degree. I’m staying with 2.3.3 on the rest of them unless they make some major changes in the 2.5x series.

Note to developers of WP: When I go there, I’m mostly there to to admin my own blog, not read the commercials for YOURS.

Also, try making a bug free version FIRST. Worry about more semi-useless features LATER, k?

So far I haven’t run into any trouble going from 2.33 to 2.5 in the ten blogs I’ve upgraded so far. But backup your database first, just in case!

I’m all for upgrading to 2.3.3, but my multiple attempts to move numerous sites to 2.5 have revealed a major issue with the new flash uploader – sometimes it works, and sometimes it doesn’t. It seems particularly difficult to track down whether this is a flash issue, a browse issue, a WordPress issue, or a server issue. I’ve seen all of the above possibilities discussed on the bug tracker and on the forums. No one seems to be able, as of yet, to clearly nail it down so that it can be fixed. Of the several suggested “fixes”, some work for some installation, others work for some other installation, and none of them seem to work for some people.

Until this is tracked down and dealt with, as much as I love the new 2.5 back end, I can’t use it. If you *do* upgrade past 2.3.3 to 2.5, make sure you leave yourself a regression strategy should you encounter this. Hopefully, you will have no problems but you should know that, as of today, if you *do* encounter this problem you *may* not be able to fix it just now.

That said, everybody go update to *at least* version 2.3.3. PAX!

Interesting that I am only now discovering that wp 2.3.3 is such an easy hack. Why was this kept secret before?

And I can only assume that 2.5 has similar security holes that are being kept a secret also.

Ok, but why don’t you just release a patch for those who are unable to upgrade? The security issue you’re talking about sound like just a piece of file not the whole system. Please try to realize that some theme is not easy to fix and not all people have that capacity.

I upgraded to 2.5, from 2.1.3, no errors other than a minor mostly cosmetic problem in my dashboard. My cobbled together theme didn’t break. I checked each of my posts and comments, they all survived. I can post, I tested my plugins, all with the exception of one orked. Checked for an updated version and there was one available to work with 2.5, I’m a happy camper.

BTW, my WP blogs have never been hacked. I’m careful of course where I have gotten my themes and plugins in the past. I read up on things before installing them as we’ve all been warned to do so.

Per usual, WP is a dream to use and feel confidence in..

I see you are looking for a replacement for XAMPP. Been there. Try wampserver (www.wampserver.com/en/). It’s much better.

@ Cody – Happy to answer your question.

Remember I have more than one blog so I can readily see the difference. In 2.3.3 and earlier, everything I needed to know about my blogs’ status – from incoming links to spam queues to Firestats staistitcs was all in a convenient sidebar on the first screen. Not only does the “improved” Admin interface take up more screens (at 1280×1024) but it provides LESS information about my blog. NOW – with 2.5, I get to hunt for some of the information that used to be right in front of me …and Firestats (users take note) isn’t on there at all anymore. Oh the information is still available, but not on the admin page. I have to click the Firestats tab if I want to know about incoming links or hit count.

Yes, the developer’s blog spam was always there, but now the boxes are bigger and take up more space, plus we’ve now added a spam about what plugins are the most popular. In other words, more blogvertising and less information all around. That’s my opinion. You asked, so there you go. Thumbs down on 2.5!

I’d like to comment about a previous comment that states

“Haven’t you noticed that each new iteration of Wordpress introduces 2 security holes for every one it “fixes”? Sure, upgrade. And then in a few weeks you’ll be hearing about the horrible security holes introduced in THAT version of WP and how you must “upgrade” immediately etc etc – and it goes on and on forever. I’d like the WP developers to try to get right for once instead of concentrating on new features most people don’t care about anyway.”

Improvement or progress can’t exist without a problem that someone tries to fix or improve upon. That is, finding bugs or inconsistencies in software is not really a bad thing since, by nature, it serves to improve the software and the user’s experience in the long run (as long as they are fixed, and by user we really mean the person that uses and/or utilizes the created resource).

There is much more to fixing software bugs than people think of. “How was the bug found?” or “Can it be reproduced?” or “How many does the bug affect?” or even better “Is the bug fix going to cost more to fix than will be lost by letting it ride for a while?”.

Here’s a loose example:
You run a factory that produces widgets and are running at full capacity bringing in $1,000,000 per day. The current demand runs around $2,000,000 per day worth of product. The software team comes along and presents data that proves that the factory can double capacity with some software improvements that can be introduced seamlessly.
So you approve the software improvement, the team finishes their work, but they notice a minor bug in the system just after they roll out the new and improved system. The software team knows where the bug is and are able to fix it. It will take three days to fix but the factory will have to shut down for those three days to fix it.

Do you build a second factory or shut the factory down and wait for the bug to be fixed (costing $3,000,000)?

If it were me I think I’d let the bug slide for a while and develop a way to seamlessly fix the bug later on and keep that revenue coming in. That is, after all, what pays those software guys in the first place…

Updated

Upgrading themes can take awhile, sometimes they change just a little thing in the templates but I like to make sure none of my custom templates will be broken. I’ve always waited at least 3 days after a release to upgrade. I’ve seen lots of Open Source apps come out with a patch 1 or 2 days later because they found a major security hole, or forgot an important file or forgot to update something. Nothing against open source apps or any of the developers, things happen, and its very understandable. Some apps change very fast which can be good or bad. Good in that new features are being added, and bad in that you have to update constantly.

ok

Found this post AFTER upgrading to 2.5 because … my 2.3.3 blog was attacked just as you mention in your post – not once, but twice in the past month. The first attack was barely noticeable since the injected code was just added to my existing code. I only caught it because the title was made blank and the categories were set to misc. That was an easy fix.

A month or so later the entire contents of a post were replaced, leaving only the title. Comments were disabled for that post.

I saw reports of SQL injection attacks and figured I should upgrade.

Fortunately, I only have two plugins enabled (SecureImage and Force Word Wrapping) and they seem to be working fine. As well my theme seems to be ok.

Of course, now that I’ve upgraded and read that there were no major fixes from 2.3.3 to 2.5 … am I going to get hacked again?

“I see comments from people all the time saying that they don’t want to upgrade because it might break this theme or that plugin that they have installed. To those people, I say, GET OVER IT. The security of your site is important. If some theme or plugin is not compatible with a newer version of WordPress, ask the author politely to update it. Or find a replacement. Or live without it. I have in excess of 25 plugins active here. But there’s not one of them that I would hesitate to deactivate when it comes to security of my site.”

Umm, yeah, as long as actual content isn’t affected. For some, this analogy might hold: Your OS vendor puts out a new version to fix security. But the upgrade will disable 50% of the keys on your keyboard. Do you upgrade regardless? Depends on how you use the computer and what you do with it, I guess. For some the plugins make WP. I use WP because it makes the process easier, but I could just go back to writing my own pages and avoid using WP, ya know, for security reasons.

Anyhow, here’s to hoping 2.5 prevents the injection attacks.

For those that are more concerned about their plugin compatibility than security: Your plugins won’t count for squat if your site is hacked. A new lock installed on your front door may require effort on your part to install, but if your house is robbed you will expend a great deal more effort. Simple risk analysis. Plus, if your hacked site is used to attack other sites, you’re going to risk upsetting many other admins who take the time to do the right thing. It makes you look stupid. But maybe you think stupid looks good on you.

For those that complain about the number of bugs in new WordPress releases: Last I checked WordPress was free. But that’s still not enough for the Entitlement crowd. By golly, some want PERFECT SOFTWARE DELIVERED RIGHT EVERY TIME (AND FREE, FREE, FREE)! Perhaps you should code your own blog software then. This is exactly the attitude that will weaken free software & open source projects. Generous developers will eventually decide that they can’t please all the whining freeloaders all the time and will eventually (and rightfully) retire to the Bahamas for some much needed downtime.

Props to the WordPress development team! I’ve never seen an easier tool to manage my website with or so easily upgrade. I’m proud to use it and brag to others that I use it. Thanks for giving so many of us a voice in the wilderness.

I installed WP 2.5 fresh on my site and loved the new features so much that I convinced my client to upgrade his site. It was a breeze, even though he was running something like 2.2.* Thanks for this article warning about the dangers of not upgrading. I will keep this in mind with my work with WP as well as other applications and plugins!