Okay, people, if you are running any version of WordPress older than
2.3.3 *, you need to upgrade now. Seriously. WordPress 2.3.3 and older have security holes that are being actively exploited by hackers to inject spam links into blogs which are not maintained. And search engines like Technorati are de-listing hacked blogs. Are you listening now? Do I have your attention? Upgrade your web apps before you get hacked and your site drops off the search-engine radar.
While the Technorati article specifically talks about WordPress sites, this goes for any web application. You need to pay attention to updates which are released, and upgrade whenever a security probem is fixed. WordPress gets particular attention due to its popularity and the sheer number of installed sites out in the wild. But it is no more or less secure than any other similar web application. So whatever you’re running, keep it up-to-date.
And the same goes for any add-ons — if you install third-part plugins or themes, make sure you keep up with updates. WordPress 2.5 makes updating plugins easier than ever. Review your Plugins page from time to time, and pay attention when it tells you that a newer version of a plugin is available.
I see comments from people all the time saying that they don’t want to upgrade because it might break this theme or that plugin that they have installed. To those people, I say, GET OVER IT. The security of your site is important. If some theme or plugin is not compatible with a newer version of WordPress, ask the author politely to update it. Or find a replacement. Or live without it. I have in excess of 25 plugins active here. But there’s not one of them that I would hesitate to deactivate when it comes to security of my site.
There are several ways to keep up with new WordPress releases. The Dashboard shows you all sorts of news from the WP community, including announcements from the Development Blog. There are several mailing lists. If those lists are too noisy for you, you can get just release announcements by signing up on Freshmeat.net and subscribing to the WordPress Project. I normally submit the Freshmeat update within 24 hours of an official release.
* One exception is WordPress version 2.0.11 (or the 2.0 svn branch, more generally), which is maintained with security updates for the Debian package.