Dougal Campbell's geek ramblings

WordPress, web development, and world domination.

Upgrade or else!

UPDATE 2008-04-16: Well crud. I was just re-reading the WP 2.5 announcement post for something else, and spotted a bit about security updates between 2.3.3 and 2.5. So my previous advice about 2.3.3 being okay was incorrect. This is one of the areas where I disagree with the core developement team — if it was up to me, there would be a 2.3.4 security release for those who have good reasons why they can’t upgrade to 2.5 right now.

Okay, people, if you are running any version of WordPress older than 2.3.3 2.5*, you need to upgrade now. Seriously. WordPress 2.3.3 and older have security holes that are being actively exploited by hackers to inject spam links into blogs which are not maintained. And search engines like Technorati are de-listing hacked blogs. Are you listening now? Do I have your attention? Upgrade your web apps before you get hacked and your site drops off the search-engine radar.

While the Technorati article specifically talks about WordPress sites, this goes for any web application. You need to pay attention to updates which are released, and upgrade whenever a security probem is fixed. WordPress gets particular attention due to its popularity and the sheer number of installed sites out in the wild. But it is no more or less secure than any other similar web application. So whatever you’re running, keep it up-to-date.

And the same goes for any add-ons — if you install third-part plugins or themes, make sure you keep up with updates. WordPress 2.5 makes updating plugins easier than ever. Review your Plugins page from time to time, and pay attention when it tells you that a newer version of a plugin is available.

I see comments from people all the time saying that they don’t want to upgrade because it might break this theme or that plugin that they have installed. To those people, I say, GET OVER IT. The security of your site is important. If some theme or plugin is not compatible with a newer version of WordPress, ask the author politely to update it. Or find a replacement. Or live without it. I have in excess of 25 plugins active here. But there’s not one of them that I would hesitate to deactivate when it comes to security of my site.

There are several ways to keep up with new WordPress releases. The Dashboard shows you all sorts of news from the WP community, including announcements from the Development Blog. There are several mailing lists. If those lists are too noisy for you, you can get just release announcements by signing up on and subscribing to the WordPress Project. I normally submit the Freshmeat update within 24 hours of an official release.

* One exception is WordPress version 2.0.11 (or the 2.0 svn branch, more generally), which is maintained with security updates for the Debian package.

About Dougal Campbell

Dougal is a web developer, and a "Developer Emeritus" for the WordPress platform. When he's not coding PHP, Perl, CSS, JavaScript, or whatnot, he spends time with his wife, three children, a dog, and a cat in their Atlanta area home.
This entry was posted in Blogs, WordPress, Security, Search and tagged , , , , , , , , , . Bookmark the permalink.

95 Responses to Upgrade or else!

  1. Pingback: WordPress 2.3.2 and older have security holes - upgrade now « propaganda press : PPP Civic or yuh life Guyana!

  2. I always try to upgrade as soon as possible, but for a major upgrade like WP 2.5 I first install it at a local server.
    Security of my site and of my visitors is one of the most important things.

  3. Pingback: » Possible Massive Blog Hacking Scheme Unearthed? (Fiat Lux)

  4. One thing I haven’t figured out is how to tell whether my WordPress install has been hacked using the pre-2.3.3 exploits.

    I upgraded to 2.5 last night from 2.3.2; is that sufficient to fix any potential hacks that might have occurred? Or do I have to go ferret them out and remove them (whatever they are)? If I do, how do I do so?

    Although, digging a little deeper, it sounds like it’s not clear anyone else knows how to do this, either, but the Weblog Tools Collection hopes to figure it out and post some tips on it sometime.

  5. Chewru Guru says:

    I’m on the fence of whether to upgrade from 2.3.3 to 2.5. You really trivialize plug-ins, but for some, they’re essential components. The problem I’ve had is that there was no smooth transition to 2.5. There were only minor incompatibilities from the 2.2-2.3x versions.. but 2.5 is a different beast and has indeed broken some themes and plug-ins. While I agree that security is of top importance, people that have worked on branding their image can’t just up and change themes. Plug-in authors typically work for little or no pay, and because all of us appreciate their hard work and volunteering spirit to add to the WordPress community, it’s easy to understand if they can’t get to updating a plug-in for a couple months.

    That said, I think sticking with 2.3.3 for a lot of us is a good strategy until 2.5 (and soon 2.51) gets caught up with all the plug-in writers. Like your site, ours has 25+ plugins and I really dont want to have to sacrifice -any of them- simply to run the latest version if 2.3.3, is, in fact, a relatively secure solution.

    I think your call to arms for upgrading is important for older users, no doubt, but unless a major exploit for 2.3.3 is discovered I think I’m going to hang in there for a little longer. What I really wanted to see the most was a major speed improvement in 2.5, but so far in my benchmarks I dont see anything significant. Granted, my main site has almost 60 posts and all those plugins, so testing 2.3.3 against 2.5 on a barebones site with a few plugins may not exactly be telling the whole story.

  6. Monika says:

    Hi yes if a plugin doesn’t work it is not so necessary,

    but if you can’t use your blog after upgrade to wp2.5 it does matter,

    wp 2.5 is only for people who have the newest webspace and best provider ..




  7. Pingback: PsychoPhil - Beer is History

  8. Pi says:

    Like many, I suspect, I am waiting for 2.5.1. So far trhere is no indication – despite frequently asking here and elsewhere – whether themes will break with 2.5, and I really do not want to have to settle for a theme which doesn’t suit my site whilst waiting for theme makers, who do an excellent but little blessed job, to catch up. Some have, after all, tens of themes to work through.


  9. Pingback: als Spamer geflaggt wegen …

  10. C. L. Pagani says:

    Haven’t you noticed that each new iteration of WordPress introduces 2 security holes for every one it “fixes”? Sure, upgrade. And then in a few weeks you’ll be hearing about the horrible security holes introduced in THAT version of WP and how you must “upgrade” immediately etc etc – and it goes on and on forever. I’d like the WP developers to try to get right for once instead of concentrating on new features most people don’t care about anyway.

  11. dkaye says:

    Once I’m confident all 41 plugins I’m currently using will work or have suitable replacements, then I’ll upgrade. Until then, I guess I’ll have to remain at-risk.

  12. Network Geek says:

    I upgraded from 2.0.??? to 2.5 for just this reason. Well, the security issue, not the Technorati issue. I use a theme that I customized without issue, save for having to replace an older plugin with one that worked with 2.5 for the fancy-schmantzy titles and cleaning up some code for the TimeOfDay plugin that gives a generalized time instead of the precise time the post/page was published. But, in the end, neither of those were absolutely required to run my blogs. They were *wants* not *needs*.
    Frankly, I’m curious as to what other breakage might occur with themes outside of customization like that. After all, it was customized once, so it can be customized again. And, I’d never go live with something that I hadn’t tested anyway. At least, not if it was truly important. If *my* customization was important enough to worry about, then it’s *my* responsibility to test it properly before committing to it on *my* live site.

  13. Chris says:

    I was going to argue with you, then I realized I’m using 2.3.3 on all of my blogs, so I guess I was excluded in the first paragraph. Still, I think you might be overstating things slightly.

  14. Upgrading is too complicated for me. I wait until everything is totally bug free, as I can’t afford to figure out bugs/plugin incompatibilities etc. I’d rather have an old version. I’m waiting for a oneclick upgrade.

  15. Cody says:

    I don’t think I’ll ever understand why people don’t upgrade. Sure, the newer versions are different. But they’re also more secure. The goal isn’t to have software that’s completely impervious to hacking. That’s essentially impossible. The goal is to stay one (or more) steps ahead of the exploiters, and you can’t do that if you stick with outdated software.

  16. Keishon says:

    I’m OK with waiting since 2.3.3 doesn’t have any security issues (as far we know). Just like another poster stated, as soon as we upgrade, there’s a bug fix 2 or 3 months later. I don’t think that it is dire to upgrade right now unless other people are using older versions of wordpress with known security issues. I know I want to upgrade, but I want to upgrade a stable version of 2.5. Waiting a couple of months or more isn’t unreasonable. I understand what you’re saying but a lot of us like to sit back and wait and make sure.

  17. Dougal says:

    Note: I didn’t say that you need to upgrade to WordPress 2.5 right now. As far as I know, there were no security fixes between versions 2.3.3 and 2.5. So if you need to hold off on the 2.5 upgrade, you should be fine, as long as you make sure you’re up to version 2.3.3 (or have updated/removed any vulnerable files from older versions).

    The jump from 2.3.3 to 2.5 is significant, and yes, there will be a 2.5.1 update coming out Real Soon Now. But to the best of my knowledge, version 2.3.3 is safe. So if you need to hold off on the 2.5 upgrade for now, you should be fine.

  18. Pingback: Upgrade or Else! «

  19. Jeremy says:

    There is a one click upgrade, via the Automatic Upgrade plugin. worked perfectly for me. Alas, 2.5 is broken in one important respect. It seems to prevent uploading and using images in many cases. I’m still waiting for a fix to that, and I cannot go back to the older version.

  20. Pingback: Vulnerabilità della sicurezza di WordPress

  21. Pingback: Interactive Media Tips » Blog Archive » Upgrade Your Installations… now.

  22. On the subject of upgrades, why not putting out patches for security vulnerabilities the moment they are fixed, instead of pushing new versions out?

  23. pete says:

    um… interesting customer service approach.

    Maybe the ‘get over it’ should be:

    “WordPress doesn’t Work.”

  24. Here in Brazil there’s a lot of blogs that didn’t update yet because of incompatibility problems related to plugins and themes. I think this is the major barrier to the upgrade of the core WP instalation. So I think in a short period of time most of the frequently updated blogs that use WP will be using the 2.5 version.

  25. Mosey says:

    Glad to read that 2.3.3 is still alright (for the moment) :) One of my non WP blogs has just been upgraded (by me) to WordPress 2.5. I’m having trouble with the admin interface already – where’s the ummm… Plugin Options page? The interface used to be so intuitive >_< I don’t think I’m a newbie user of WP, but this has me quite baffled! (*is aware that there are alternative interfaces available for d/l*
    The other one will still stay at 2.3.3 for the moment. Like others have pointed out, for some websites, the plugin makes up alot of the site content. I know for a fact that this doesn’t quite apply to my current site (but does to another one in development) but I still don’t want to go through the hassle of 2.5 only to have to patch it to 2.5.1 immediately because of upload issues etc.

  26. mike rubbo says:

    I find I deeply resent the changes made in 2.5. They don’t seem to bnefit me at all and a simple intuitive user and just mean there are things I can’t do, or don’t see how to do.

    The most important example is replying to comment. Our blog gets lots of comments and a big feature was being able to hit the edit button and leave a comment to the comment. Readers really liked being responded to personally. Why on earth would this be taken away?

    If I am just not seeing how to do it, could someone explain? Mike

  27. Mares says:

    I gave in and upgraded, coward that I am, I’d been hoping to wait a bit longer, but I decided to be brave and just do it. It’s incredible, I love it. Even the theme I lovingly cobbled together last year didn’t break. I did a little dance at my desk, I was that thrilled.. there’s just one little problem, it’s not much but wanted to ask on the off chance there is something I can do to resolve it? On the dashboard, the link to “view site” floats over the link to “write” posts. I’d appreciate any info.. though I could live with it if I have to.

  28. Kelson says:

    @Jeremy, are you using the Bad Behavior plugin? If so, update to 2.0.14 and that should take care of it.

    The new image uploader uses Flash if available. A lot of spambots pretend to be “Shockwave Flash”, and until now there was no normal reason for a Flash app to be accessing your blog, so Bad Behavior was blocking it.

  29. Pingback: Vulnerable Software and Vindictive Search Engines | Blueprint Design Studio

  30. C. L. Pagani says:

    OH yes, I upgraded one of my blogs to 2.5. Hated it. The admin inteface seems designed to favor promotion of the developers blog feeds over functionality to the nth degree. I’m staying with 2.3.3 on the rest of them unless they make some major changes in the 2.5x series.

    Note to developers of WP: When I go there, I’m mostly there to to admin my own blog, not read the commercials for YOURS.

    Also, try making a bug free version FIRST. Worry about more semi-useless features LATER, k?

  31. Cody says:

    @C. L. Pagani: What are you talking about? The developer feeds are only on the lower half of the dashboard page. And that’s it. Recent Comments, Incoming Links, and Stats are all above the Development Blog feed and Other News section. And those have been there in every version of WP I’ve used.

  32. So far I haven’t run into any trouble going from 2.33 to 2.5 in the ten blogs I’ve upgraded so far. But backup your database first, just in case!

  33. gordon says:

    I wrote about one of the exploits on my blog a little while ago and also what I did to deal with it. I also wrote a short follow-up to it, too. A number of people have found it useful, so you might want to check it out.

    Hope this helps! :)

  34. Pingback: Scattered » Upgrade or else? - Wordpress 2.2.2 Security Issue

  35. rlparker says:

    I’m all for upgrading to 2.3.3, but my multiple attempts to move numerous sites to 2.5 have revealed a major issue with the new flash uploader – sometimes it works, and sometimes it doesn’t. It seems particularly difficult to track down whether this is a flash issue, a browse issue, a WordPress issue, or a server issue. I’ve seen all of the above possibilities discussed on the bug tracker and on the forums. No one seems to be able, as of yet, to clearly nail it down so that it can be fixed. Of the several suggested “fixes”, some work for some installation, others work for some other installation, and none of them seem to work for some people.

    Until this is tracked down and dealt with, as much as I love the new 2.5 back end, I can’t use it. If you *do* upgrade past 2.3.3 to 2.5, make sure you leave yourself a regression strategy should you encounter this. Hopefully, you will have no problems but you should know that, as of today, if you *do* encounter this problem you *may* not be able to fix it just now.

    That said, everybody go update to *at least* version 2.3.3. PAX!

  36. Mike Huang says:

    I agree…every blogger using WordPress should take the plunge and upgrade. I actually upgraded and caused errors all over my blog. I fixed it for a day, but still received some errors. Eventually, I did a “overwrite all files” install and everything worked great. Certain plugins gave huge errors, but I also deactivated them. So far, I love 2.5!


  37. mark knowles says:

    Interesting that I am only now discovering that wp 2.3.3 is such an easy hack. Why was this kept secret before?

    And I can only assume that 2.5 has similar security holes that are being kept a secret also.

  38. WP 2.5 should be released in a better way then with so much hickups. First fix that before pushing people in a release that is far from finished

  39. Pingback: What Da Phuk! » Blog Archive » Upgrade Time

  40. n-blue says:

    Ok, but why don’t you just release a patch for those who are unable to upgrade? The security issue you’re talking about sound like just a piece of file not the whole system. Please try to realize that some theme is not easy to fix and not all people have that capacity.

  41. Greg McAbee says:

    You have to upgrade or it is just a matter of time to get hacked. As I see it the three progressions of a web page are.

    1. Need Hits, Need to get noticed.
    2. Getting Notice – Some hits coming in.
    3. Oh shoot I’m famous. Now every hacker in the world and script kiddy will POWN me.

    Not a typo. You do not want your site powned. I made the mistake of running a PHPBB Forum site once and the hackers, hacked through that to get to the WordPress site. And believe me, once your hacked once. They leave things behind to get back in later.

    The sinking feeling of opening your web site. Only to find all of your work destroyed by a Turkish Muslim hacker who left his email and does not care is a terrible feeling.

    When I upgraded the ONLY thing that kept working was WordPress and PodPress. My Downloads plug-in I use to send free Audio Bibles all over the world stopped. Four plug-ins had to be re-installed after they were brought up to speed. Thankfully the fixes were already there.

    I got rid of a plugin that stopped working. And added a new one that only works in the new version. There are really two schools of thought. Wait and See and Do it now.

    I like to do it now. Please don’t take this the wrong way as I am learning to respect everyone. But the feeling of logging in my Christian Site only to see the Muslim Star that my site was powned. I’m sticking with the Do it now plan.

    As for the critics who are crying to get it right. Sorry it doesn’t work that way. Even the best companies out there realize if new products do not go out the door you get stale. No one wants yesterdays stale stuff.

    I Love WordPress. It is simple. And helps me send the Gospel everywhere. It fits in my price range so I don’t complain very much. Thanks to everyone involved with WordPress!

  42. Pingback: Blog do Cleuby

  43. Mares says:

    I upgraded to 2.5, from 2.1.3, no errors other than a minor mostly cosmetic problem in my dashboard. My cobbled together theme didn’t break. I checked each of my posts and comments, they all survived. I can post, I tested my plugins, all with the exception of one orked. Checked for an updated version and there was one available to work with 2.5, I’m a happy camper.

    BTW, my WP blogs have never been hacked. I’m careful of course where I have gotten my themes and plugins in the past. I read up on things before installing them as we’ve all been warned to do so.

    Per usual, WP is a dream to use and feel confidence in..

  44. Mares says:

    oops, that was meant to say upgraded to 2.5 from 2.3.1. All I can say is the caffeine isn’t working it’s magic this morning. 😉

  45. Eats Wombats says:

    I see you are looking for a replacement for XAMPP. Been there. Try wampserver ( It’s much better.

  46. Uncle Che says:

    Genrally, updated apps are always far more advanced in every aspect than previous versions. I knew and understaood that but i was skeptical because I thought sidebar management was complicated in WP 2.5. Thank God I got over it. I am noe upgraded and happy.

  47. Pingback: Jason’s Random Thoughts » Blog Archive » Stop Trying To Scare Us Into An Upgrade!

  48. C. L. Pagani says:

    @ Cody – Happy to answer your question.

    Remember I have more than one blog so I can readily see the difference. In 2.3.3 and earlier, everything I needed to know about my blogs’ status – from incoming links to spam queues to Firestats staistitcs was all in a convenient sidebar on the first screen. Not only does the “improved” Admin interface take up more screens (at 1280×1024) but it provides LESS information about my blog. NOW – with 2.5, I get to hunt for some of the information that used to be right in front of me …and Firestats (users take note) isn’t on there at all anymore. Oh the information is still available, but not on the admin page. I have to click the Firestats tab if I want to know about incoming links or hit count.

    Yes, the developer’s blog spam was always there, but now the boxes are bigger and take up more space, plus we’ve now added a spam about what plugins are the most popular. In other words, more blogvertising and less information all around. That’s my opinion. You asked, so there you go. Thumbs down on 2.5!

  49. Roland says:

    there will be a 2.5.1 update coming out Real Soon Now

    In my opinion 2.5 was released to early, now all users are forced to go through the hassle of updating multpiple times within a very short time period. Thank god i create my own patchfile to update my installations. But for those that have multiple, heavily changed installations the update proces is frustating.

    I also agree with C.L. Pagani, the new “improved” admin panel is a pain. I am not interested in the most popular plugins or the latest post from the development blog. If i want to read those things i’ll go look for them.

  50. John Hines says:

    I’d like to comment about a previous comment that states

    “Haven’t you noticed that each new iteration of WordPress introduces 2 security holes for every one it “fixes”? Sure, upgrade. And then in a few weeks you’ll be hearing about the horrible security holes introduced in THAT version of WP and how you must “upgrade” immediately etc etc – and it goes on and on forever. I’d like the WP developers to try to get right for once instead of concentrating on new features most people don’t care about anyway.”

    Improvement or progress can’t exist without a problem that someone tries to fix or improve upon. That is, finding bugs or inconsistencies in software is not really a bad thing since, by nature, it serves to improve the software and the user’s experience in the long run (as long as they are fixed, and by user we really mean the person that uses and/or utilizes the created resource).

    There is much more to fixing software bugs than people think of. “How was the bug found?” or “Can it be reproduced?” or “How many does the bug affect?” or even better “Is the bug fix going to cost more to fix than will be lost by letting it ride for a while?”.

    Here’s a loose example:
    You run a factory that produces widgets and are running at full capacity bringing in $1,000,000 per day. The current demand runs around $2,000,000 per day worth of product. The software team comes along and presents data that proves that the factory can double capacity with some software improvements that can be introduced seamlessly.
    So you approve the software improvement, the team finishes their work, but they notice a minor bug in the system just after they roll out the new and improved system. The software team knows where the bug is and are able to fix it. It will take three days to fix but the factory will have to shut down for those three days to fix it.

    Do you build a second factory or shut the factory down and wait for the bug to be fixed (costing $3,000,000)?

    If it were me I think I’d let the bug slide for a while and develop a way to seamlessly fix the bug later on and keep that revenue coming in. That is, after all, what pays those software guys in the first place…

Leave a Reply

%d bloggers like this: