Dougal Campbell's geek ramblings

WordPress, web development, and world domination.

Upgrade or else!

UPDATE 2008-04-16: Well crud. I was just re-reading the WP 2.5 announcement post for something else, and spotted a bit about security updates between 2.3.3 and 2.5. So my previous advice about 2.3.3 being okay was incorrect. This is one of the areas where I disagree with the core developement team — if it was up to me, there would be a 2.3.4 security release for those who have good reasons why they can’t upgrade to 2.5 right now.

Okay, people, if you are running any version of WordPress older than 2.3.3 2.5*, you need to upgrade now. Seriously. WordPress 2.3.3 and older have security holes that are being actively exploited by hackers to inject spam links into blogs which are not maintained. And search engines like Technorati are de-listing hacked blogs. Are you listening now? Do I have your attention? Upgrade your web apps before you get hacked and your site drops off the search-engine radar.

While the Technorati article specifically talks about WordPress sites, this goes for any web application. You need to pay attention to updates which are released, and upgrade whenever a security probem is fixed. WordPress gets particular attention due to its popularity and the sheer number of installed sites out in the wild. But it is no more or less secure than any other similar web application. So whatever you’re running, keep it up-to-date.

And the same goes for any add-ons — if you install third-part plugins or themes, make sure you keep up with updates. WordPress 2.5 makes updating plugins easier than ever. Review your Plugins page from time to time, and pay attention when it tells you that a newer version of a plugin is available.

I see comments from people all the time saying that they don’t want to upgrade because it might break this theme or that plugin that they have installed. To those people, I say, GET OVER IT. The security of your site is important. If some theme or plugin is not compatible with a newer version of WordPress, ask the author politely to update it. Or find a replacement. Or live without it. I have in excess of 25 plugins active here. But there’s not one of them that I would hesitate to deactivate when it comes to security of my site.

There are several ways to keep up with new WordPress releases. The Dashboard shows you all sorts of news from the WP community, including announcements from the Development Blog. There are several mailing lists. If those lists are too noisy for you, you can get just release announcements by signing up on Freshmeat.net and subscribing to the WordPress Project. I normally submit the Freshmeat update within 24 hours of an official release.

* One exception is WordPress version 2.0.11 (or the 2.0 svn branch, more generally), which is maintained with security updates for the Debian package.

About Dougal Campbell

Dougal is a web developer, and a "Developer Emeritus" for the WordPress platform. When he's not coding PHP, Perl, CSS, JavaScript, or whatnot, he spends time with his wife, three children, a dog, and a cat in their Atlanta area home.
This entry was posted in Blogs, Search, Security, WordPress and tagged , , , , , , , , , . Bookmark the permalink.

95 Responses to Upgrade or else!

  1. Pingback: WordPress 2.3.2 and older have security holes - upgrade now « propaganda press : PPP Civic or yuh life Guyana!

  2. I always try to upgrade as soon as possible, but for a major upgrade like WP 2.5 I first install it at a local server.
    Security of my site and of my visitors is one of the most important things.

  3. Pingback: » Possible Massive Blog Hacking Scheme Unearthed? (Fiat Lux)

  4. One thing I haven’t figured out is how to tell whether my WordPress install has been hacked using the pre-2.3.3 exploits.

    I upgraded to 2.5 last night from 2.3.2; is that sufficient to fix any potential hacks that might have occurred? Or do I have to go ferret them out and remove them (whatever they are)? If I do, how do I do so?

    Although, digging a little deeper, it sounds like it’s not clear anyone else knows how to do this, either, but the Weblog Tools Collection hopes to figure it out and post some tips on it sometime.

  5. Chewru Guru says:

    I’m on the fence of whether to upgrade from 2.3.3 to 2.5. You really trivialize plug-ins, but for some, they’re essential components. The problem I’ve had is that there was no smooth transition to 2.5. There were only minor incompatibilities from the 2.2-2.3x versions.. but 2.5 is a different beast and has indeed broken some themes and plug-ins. While I agree that security is of top importance, people that have worked on branding their image can’t just up and change themes. Plug-in authors typically work for little or no pay, and because all of us appreciate their hard work and volunteering spirit to add to the WordPress community, it’s easy to understand if they can’t get to updating a plug-in for a couple months.

    That said, I think sticking with 2.3.3 for a lot of us is a good strategy until 2.5 (and soon 2.51) gets caught up with all the plug-in writers. Like your site, ours has 25+ plugins and I really dont want to have to sacrifice -any of them- simply to run the latest version if 2.3.3, is, in fact, a relatively secure solution.

    I think your call to arms for upgrading is important for older users, no doubt, but unless a major exploit for 2.3.3 is discovered I think I’m going to hang in there for a little longer. What I really wanted to see the most was a major speed improvement in 2.5, but so far in my benchmarks I dont see anything significant. Granted, my main site has almost 60 posts and all those plugins, so testing 2.3.3 against 2.5 on a barebones site with a few plugins may not exactly be telling the whole story.

  6. Monika says:

    Hi yes if a plugin doesn’t work it is not so necessary,

    but if you can’t use your blog after upgrade to wp2.5 it does matter,

    wp 2.5 is only for people who have the newest webspace and best provider ..

    :(

    regards

    Monika

  7. Pingback: PsychoPhil - Beer is History

  8. Pi says:

    Like many, I suspect, I am waiting for 2.5.1. So far trhere is no indication – despite frequently asking here and elsewhere – whether themes will break with 2.5, and I really do not want to have to settle for a theme which doesn’t suit my site whilst waiting for theme makers, who do an excellent but little blessed job, to catch up. Some have, after all, tens of themes to work through.

    Pi.

  9. Pingback: als Spamer geflaggt wegen …

  10. C. L. Pagani says:

    Haven’t you noticed that each new iteration of WordPress introduces 2 security holes for every one it “fixes”? Sure, upgrade. And then in a few weeks you’ll be hearing about the horrible security holes introduced in THAT version of WP and how you must “upgrade” immediately etc etc – and it goes on and on forever. I’d like the WP developers to try to get right for once instead of concentrating on new features most people don’t care about anyway.

  11. dkaye says:

    Once I’m confident all 41 plugins I’m currently using will work or have suitable replacements, then I’ll upgrade. Until then, I guess I’ll have to remain at-risk.

  12. Network Geek says:

    I upgraded from 2.0.??? to 2.5 for just this reason. Well, the security issue, not the Technorati issue. I use a theme that I customized without issue, save for having to replace an older plugin with one that worked with 2.5 for the fancy-schmantzy titles and cleaning up some code for the TimeOfDay plugin that gives a generalized time instead of the precise time the post/page was published. But, in the end, neither of those were absolutely required to run my blogs. They were *wants* not *needs*.
    Frankly, I’m curious as to what other breakage might occur with themes outside of customization like that. After all, it was customized once, so it can be customized again. And, I’d never go live with something that I hadn’t tested anyway. At least, not if it was truly important. If *my* customization was important enough to worry about, then it’s *my* responsibility to test it properly before committing to it on *my* live site.

  13. Chris says:

    I was going to argue with you, then I realized I’m using 2.3.3 on all of my blogs, so I guess I was excluded in the first paragraph. Still, I think you might be overstating things slightly.

  14. Upgrading is too complicated for me. I wait until everything is totally bug free, as I can’t afford to figure out bugs/plugin incompatibilities etc. I’d rather have an old version. I’m waiting for a oneclick upgrade.

  15. Cody says:

    I don’t think I’ll ever understand why people don’t upgrade. Sure, the newer versions are different. But they’re also more secure. The goal isn’t to have software that’s completely impervious to hacking. That’s essentially impossible. The goal is to stay one (or more) steps ahead of the exploiters, and you can’t do that if you stick with outdated software.

  16. Keishon says:

    I’m OK with waiting since 2.3.3 doesn’t have any security issues (as far we know). Just like another poster stated, as soon as we upgrade, there’s a bug fix 2 or 3 months later. I don’t think that it is dire to upgrade right now unless other people are using older versions of wordpress with known security issues. I know I want to upgrade, but I want to upgrade a stable version of 2.5. Waiting a couple of months or more isn’t unreasonable. I understand what you’re saying but a lot of us like to sit back and wait and make sure.

  17. Dougal says:

    Note: I didn’t say that you need to upgrade to WordPress 2.5 right now. As far as I know, there were no security fixes between versions 2.3.3 and 2.5. So if you need to hold off on the 2.5 upgrade, you should be fine, as long as you make sure you’re up to version 2.3.3 (or have updated/removed any vulnerable files from older versions).

    The jump from 2.3.3 to 2.5 is significant, and yes, there will be a 2.5.1 update coming out Real Soon Now. But to the best of my knowledge, version 2.3.3 is safe. So if you need to hold off on the 2.5 upgrade for now, you should be fine.

  18. Pingback: Upgrade or Else! « will.ph

  19. Jeremy says:

    There is a one click upgrade, via the Automatic Upgrade plugin. worked perfectly for me. Alas, 2.5 is broken in one important respect. It seems to prevent uploading and using images in many cases. I’m still waiting for a fix to that, and I cannot go back to the older version.

  20. Pingback: Vulnerabilità della sicurezza di WordPress

  21. Pingback: Interactive Media Tips » Blog Archive » Upgrade Your Installations… now.

  22. On the subject of upgrades, why not putting out patches for security vulnerabilities the moment they are fixed, instead of pushing new versions out?

  23. pete says:

    um… interesting customer service approach.

    Maybe the ‘get over it’ should be:

    “WordPress doesn’t Work.”

  24. Here in Brazil there’s a lot of blogs that didn’t update yet because of incompatibility problems related to plugins and themes. I think this is the major barrier to the upgrade of the core WP instalation. So I think in a short period of time most of the frequently updated blogs that use WP will be using the 2.5 version.

  25. Mosey says:

    Glad to read that 2.3.3 is still alright (for the moment) :) One of my non WP blogs has just been upgraded (by me) to WordPress 2.5. I’m having trouble with the admin interface already – where’s the ummm… Plugin Options page? The interface used to be so intuitive >_< I don’t think I’m a newbie user of WP, but this has me quite baffled! (*is aware that there are alternative interfaces available for d/l*
    )
    The other one will still stay at 2.3.3 for the moment. Like others have pointed out, for some websites, the plugin makes up alot of the site content. I know for a fact that this doesn’t quite apply to my current site (but does to another one in development) but I still don’t want to go through the hassle of 2.5 only to have to patch it to 2.5.1 immediately because of upload issues etc.

  26. mike rubbo says:

    I find I deeply resent the changes made in 2.5. They don’t seem to bnefit me at all and a simple intuitive user and just mean there are things I can’t do, or don’t see how to do.

    The most important example is replying to comment. Our blog gets lots of comments and a big feature was being able to hit the edit button and leave a comment to the comment. Readers really liked being responded to personally. Why on earth would this be taken away?

    If I am just not seeing how to do it, could someone explain? Mike

  27. Mares says:

    I gave in and upgraded, coward that I am, I’d been hoping to wait a bit longer, but I decided to be brave and just do it. It’s incredible, I love it. Even the theme I lovingly cobbled together last year didn’t break. I did a little dance at my desk, I was that thrilled.. there’s just one little problem, it’s not much but wanted to ask on the off chance there is something I can do to resolve it? On the dashboard, the link to “view site” floats over the link to “write” posts. I’d appreciate any info.. though I could live with it if I have to.

  28. Kelson says:

    @Jeremy, are you using the Bad Behavior plugin? If so, update to 2.0.14 and that should take care of it.

    The new image uploader uses Flash if available. A lot of spambots pretend to be “Shockwave Flash”, and until now there was no normal reason for a Flash app to be accessing your blog, so Bad Behavior was blocking it.

  29. Pingback: Vulnerable Software and Vindictive Search Engines | Blueprint Design Studio

  30. C. L. Pagani says:

    OH yes, I upgraded one of my blogs to 2.5. Hated it. The admin inteface seems designed to favor promotion of the developers blog feeds over functionality to the nth degree. I’m staying with 2.3.3 on the rest of them unless they make some major changes in the 2.5x series.

    Note to developers of WP: When I go there, I’m mostly there to to admin my own blog, not read the commercials for YOURS.

    Also, try making a bug free version FIRST. Worry about more semi-useless features LATER, k?

  31. Cody says:

    @C. L. Pagani: What are you talking about? The developer feeds are only on the lower half of the dashboard page. And that’s it. Recent Comments, Incoming Links, and Stats are all above the Development Blog feed and Other News section. And those have been there in every version of WP I’ve used.

  32. So far I haven’t run into any trouble going from 2.33 to 2.5 in the ten blogs I’ve upgraded so far. But backup your database first, just in case!

  33. gordon says:

    I wrote about one of the exploits on my blog a little while ago and also what I did to deal with it. I also wrote a short follow-up to it, too. A number of people have found it useful, so you might want to check it out.

    Hope this helps! :)

  34. Pingback: Scattered » Upgrade or else? - Wordpress 2.2.2 Security Issue

  35. rlparker says:

    I’m all for upgrading to 2.3.3, but my multiple attempts to move numerous sites to 2.5 have revealed a major issue with the new flash uploader – sometimes it works, and sometimes it doesn’t. It seems particularly difficult to track down whether this is a flash issue, a browse issue, a WordPress issue, or a server issue. I’ve seen all of the above possibilities discussed on the bug tracker and on the forums. No one seems to be able, as of yet, to clearly nail it down so that it can be fixed. Of the several suggested “fixes”, some work for some installation, others work for some other installation, and none of them seem to work for some people.

    Until this is tracked down and dealt with, as much as I love the new 2.5 back end, I can’t use it. If you *do* upgrade past 2.3.3 to 2.5, make sure you leave yourself a regression strategy should you encounter this. Hopefully, you will have no problems but you should know that, as of today, if you *do* encounter this problem you *may* not be able to fix it just now.

    That said, everybody go update to *at least* version 2.3.3. PAX!

  36. Mike Huang says:

    I agree…every blogger using WordPress should take the plunge and upgrade. I actually upgraded and caused errors all over my blog. I fixed it for a day, but still received some errors. Eventually, I did a “overwrite all files” install and everything worked great. Certain plugins gave huge errors, but I also deactivated them. So far, I love 2.5!

    -Mike

  37. mark knowles says:

    Interesting that I am only now discovering that wp 2.3.3 is such an easy hack. Why was this kept secret before?

    And I can only assume that 2.5 has similar security holes that are being kept a secret also.

  38. WP 2.5 should be released in a better way then with so much hickups. First fix that before pushing people in a release that is far from finished

  39. Pingback: What Da Phuk! » Blog Archive » Upgrade Time

  40. n-blue says:

    Ok, but why don’t you just release a patch for those who are unable to upgrade? The security issue you’re talking about sound like just a piece of file not the whole system. Please try to realize that some theme is not easy to fix and not all people have that capacity.

  41. Greg McAbee says:

    You have to upgrade or it is just a matter of time to get hacked. As I see it the three progressions of a web page are.

    1. Need Hits, Need to get noticed.
    2. Getting Notice – Some hits coming in.
    3. Oh shoot I’m famous. Now every hacker in the world and script kiddy will POWN me.

    Not a typo. You do not want your site powned. I made the mistake of running a PHPBB Forum site once and the hackers, hacked through that to get to the WordPress site. And believe me, once your hacked once. They leave things behind to get back in later.

    The sinking feeling of opening your web site. Only to find all of your work destroyed by a Turkish Muslim hacker who left his email and does not care is a terrible feeling.

    When I upgraded the ONLY thing that kept working was WordPress and PodPress. My Downloads plug-in I use to send free Audio Bibles all over the world stopped. Four plug-ins had to be re-installed after they were brought up to speed. Thankfully the fixes were already there.

    I got rid of a plugin that stopped working. And added a new one that only works in the new version. There are really two schools of thought. Wait and See and Do it now.

    I like to do it now. Please don’t take this the wrong way as I am learning to respect everyone. But the feeling of logging in my Christian Site only to see the Muslim Star that my site was powned. I’m sticking with the Do it now plan.

    As for the critics who are crying to get it right. Sorry it doesn’t work that way. Even the best companies out there realize if new products do not go out the door you get stale. No one wants yesterdays stale stuff.

    I Love WordPress. It is simple. And helps me send the Gospel everywhere. It fits in my price range so I don’t complain very much. Thanks to everyone involved with WordPress!

  42. Pingback: Blog do Cleuby

  43. Mares says:

    I upgraded to 2.5, from 2.1.3, no errors other than a minor mostly cosmetic problem in my dashboard. My cobbled together theme didn’t break. I checked each of my posts and comments, they all survived. I can post, I tested my plugins, all with the exception of one orked. Checked for an updated version and there was one available to work with 2.5, I’m a happy camper.

    BTW, my WP blogs have never been hacked. I’m careful of course where I have gotten my themes and plugins in the past. I read up on things before installing them as we’ve all been warned to do so.

    Per usual, WP is a dream to use and feel confidence in..

  44. Mares says:

    oops, that was meant to say upgraded to 2.5 from 2.3.1. All I can say is the caffeine isn’t working it’s magic this morning. ;)

  45. Eats Wombats says:

    I see you are looking for a replacement for XAMPP. Been there. Try wampserver (www.wampserver.com/en/). It’s much better.

  46. Uncle Che says:

    Genrally, updated apps are always far more advanced in every aspect than previous versions. I knew and understaood that but i was skeptical because I thought sidebar management was complicated in WP 2.5. Thank God I got over it. I am noe upgraded and happy.

  47. Pingback: Jason’s Random Thoughts » Blog Archive » Stop Trying To Scare Us Into An Upgrade!

  48. C. L. Pagani says:

    @ Cody – Happy to answer your question.

    Remember I have more than one blog so I can readily see the difference. In 2.3.3 and earlier, everything I needed to know about my blogs’ status – from incoming links to spam queues to Firestats staistitcs was all in a convenient sidebar on the first screen. Not only does the “improved” Admin interface take up more screens (at 1280×1024) but it provides LESS information about my blog. NOW – with 2.5, I get to hunt for some of the information that used to be right in front of me …and Firestats (users take note) isn’t on there at all anymore. Oh the information is still available, but not on the admin page. I have to click the Firestats tab if I want to know about incoming links or hit count.

    Yes, the developer’s blog spam was always there, but now the boxes are bigger and take up more space, plus we’ve now added a spam about what plugins are the most popular. In other words, more blogvertising and less information all around. That’s my opinion. You asked, so there you go. Thumbs down on 2.5!

  49. Roland says:

    there will be a 2.5.1 update coming out Real Soon Now

    In my opinion 2.5 was released to early, now all users are forced to go through the hassle of updating multpiple times within a very short time period. Thank god i create my own patchfile to update my installations. But for those that have multiple, heavily changed installations the update proces is frustating.

    I also agree with C.L. Pagani, the new “improved” admin panel is a pain. I am not interested in the most popular plugins or the latest post from the development blog. If i want to read those things i’ll go look for them.

  50. John Hines says:

    I’d like to comment about a previous comment that states

    “Haven’t you noticed that each new iteration of WordPress introduces 2 security holes for every one it “fixes”? Sure, upgrade. And then in a few weeks you’ll be hearing about the horrible security holes introduced in THAT version of WP and how you must “upgrade” immediately etc etc – and it goes on and on forever. I’d like the WP developers to try to get right for once instead of concentrating on new features most people don’t care about anyway.”

    Improvement or progress can’t exist without a problem that someone tries to fix or improve upon. That is, finding bugs or inconsistencies in software is not really a bad thing since, by nature, it serves to improve the software and the user’s experience in the long run (as long as they are fixed, and by user we really mean the person that uses and/or utilizes the created resource).

    There is much more to fixing software bugs than people think of. “How was the bug found?” or “Can it be reproduced?” or “How many does the bug affect?” or even better “Is the bug fix going to cost more to fix than will be lost by letting it ride for a while?”.

    Here’s a loose example:
    You run a factory that produces widgets and are running at full capacity bringing in $1,000,000 per day. The current demand runs around $2,000,000 per day worth of product. The software team comes along and presents data that proves that the factory can double capacity with some software improvements that can be introduced seamlessly.
    So you approve the software improvement, the team finishes their work, but they notice a minor bug in the system just after they roll out the new and improved system. The software team knows where the bug is and are able to fix it. It will take three days to fix but the factory will have to shut down for those three days to fix it.

    Do you build a second factory or shut the factory down and wait for the bug to be fixed (costing $3,000,000)?

    If it were me I think I’d let the bug slide for a while and develop a way to seamlessly fix the bug later on and keep that revenue coming in. That is, after all, what pays those software guys in the first place…

  51. Pingback: A return to scheduled programming | Deskpoet's observations

  52. I’m one of those that got hacked. The title of my site referred to someone else’s site. It took me a full day to figure out how to fix my site. In the end I discovered that someone was manipulating the “All in One SEO” plugin. I deactivated the plug-in, I can live without it, and the problem was resolved.

    Instead of upgrading to a newer version, 2.5 was about to be released, I replaced my xlmrpc.php with the newer version. And everything seems to be fine. Although, my last upgrade went fine, I’m always queasy about doing upgrades. I’m going to give 2.5 a few more weeks before I upgrade.

    Hope the Info helps.

  53. Pingback: gordon.dewis.ca | Upgrade or be dropped

  54. Pingback: The dust settles on a blog upgrade – Alex’s Ramblings

  55. Pingback: Blogvaria » First date with WordPress 2.5

  56. Pingback: Derek Meister's Online Journal

  57. Pingback: paran0id’s blog » Blog Archive » Wordpress - Upgrade OR Else…

  58. Sarah says:

    Until last week I ran 2.2.x because, well, I just roll that way. Personally, I think that if your going to get hacked… you’ll get hacked regardless of which version of WordPress your using.

    Saying that, 2.5’s posting page does render a LOT quicker than 2.2’s did and seems less bandwidth hungry… speaking as someone who pays for stuff like that… bonus :)

  59. jive says:

    Upgrading themes can take awhile, sometimes they change just a little thing in the templates but I like to make sure none of my custom templates will be broken. I’ve always waited at least 3 days after a release to upgrade. I’ve seen lots of Open Source apps come out with a patch 1 or 2 days later because they found a major security hole, or forgot an important file or forgot to update something. Nothing against open source apps or any of the developers, things happen, and its very understandable. Some apps change very fast which can be good or bad. Good in that new features are being added, and bad in that you have to update constantly.

  60. Scyfox says:

    Sorry to say but i have to stick with 2.3.3 cause my hosting doesn’t use Apache… it has light… and 2.5 don’t work well if you don’t update light to 1.5 beta… wich in my case they won’t do until final release….

    DAMN!

  61. AriK says:

    One of the reasons why non-English WP sites don’t get upgraded quickly is the delay in translation. Usually it is one volunteer (per language) who tries to keep up with WP releases (+plugin releases). In my native language the latest translated WP version is 2.2.3. Waiting for the 2.5…

    I feel that Automattic could do a nice job in enabling some sort of collaborative on-line translation facility for new versions of WP. I know that there would be several local volunteers capable of sharing the work load, but we haven’t found a practical way of doing it on-line, in a distributed manner.

    Any hints how we could make it happen?

  62. Found this post AFTER upgrading to 2.5 because … my 2.3.3 blog was attacked just as you mention in your post – not once, but twice in the past month. The first attack was barely noticeable since the injected code was just added to my existing code. I only caught it because the title was made blank and the categories were set to misc. That was an easy fix.

    A month or so later the entire contents of a post were replaced, leaving only the title. Comments were disabled for that post.

    I saw reports of SQL injection attacks and figured I should upgrade.

    Fortunately, I only have two plugins enabled (SecureImage and Force Word Wrapping) and they seem to be working fine. As well my theme seems to be ok.

    Of course, now that I’ve upgraded and read that there were no major fixes from 2.3.3 to 2.5 … am I going to get hacked again?

    “I see comments from people all the time saying that they don’t want to upgrade because it might break this theme or that plugin that they have installed. To those people, I say, GET OVER IT. The security of your site is important. If some theme or plugin is not compatible with a newer version of WordPress, ask the author politely to update it. Or find a replacement. Or live without it. I have in excess of 25 plugins active here. But there’s not one of them that I would hesitate to deactivate when it comes to security of my site.”

    Umm, yeah, as long as actual content isn’t affected. For some, this analogy might hold: Your OS vendor puts out a new version to fix security. But the upgrade will disable 50% of the keys on your keyboard. Do you upgrade regardless? Depends on how you use the computer and what you do with it, I guess. For some the plugins make WP. I use WP because it makes the process easier, but I could just go back to writing my own pages and avoid using WP, ya know, for security reasons.

    Anyhow, here’s to hoping 2.5 prevents the injection attacks.

  63. Network Geek says:

    I think one thing that people are missing on this is where the responsibility falls. If the problem is with a customization done to the trunk software, how is that the problem of the developers? I mean, let’s be reasonable here. The developers can’t write code *and* test it with every single available plugin. And, frankly, I think it’s unreasonable to ask them to do so.

    I have a test installation of WordPress, both locally and on my webhost, so that I can verify everything works the way I want it to work *before* I let it go live. As an owner/operator of a website, it is *MY* responsibility to test the software that I use before I make it live on my site. If it doesn’t work the way I want, then I don’t make it live. I tinker with the code in a test environment until I’m satisfied, then I make it live.
    If that’s too much work, then there’s always WordPress.com, where they test things for me. In fact, one very nice young lady I know on-line moved her blog there because it was too much work for her, even with my help. Now, she seems quite satisfied with how it all works. No problem.

    So, what’s the issue people are having problems with? Is it just too much work to test new software before using it? Seriously?

  64. Pingback: ¿Actualizo a Wordpress 2.5 o no? |Ayuda WordPress

  65. For those that are more concerned about their plugin compatibility than security: Your plugins won’t count for squat if your site is hacked. A new lock installed on your front door may require effort on your part to install, but if your house is robbed you will expend a great deal more effort. Simple risk analysis. Plus, if your hacked site is used to attack other sites, you’re going to risk upsetting many other admins who take the time to do the right thing. It makes you look stupid. But maybe you think stupid looks good on you.

    For those that complain about the number of bugs in new WordPress releases: Last I checked WordPress was free. But that’s still not enough for the Entitlement crowd. By golly, some want PERFECT SOFTWARE DELIVERED RIGHT EVERY TIME (AND FREE, FREE, FREE)! Perhaps you should code your own blog software then. This is exactly the attitude that will weaken free software & open source projects. Generous developers will eventually decide that they can’t please all the whining freeloaders all the time and will eventually (and rightfully) retire to the Bahamas for some much needed downtime.

    Props to the WordPress development team! I’ve never seen an easier tool to manage my website with or so easily upgrade. I’m proud to use it and brag to others that I use it. Thanks for giving so many of us a voice in the wilderness.

  66. Danny says:

    I would like to upgrade. I am eager to upgrade.

    But I have some plugins that are key to the way my blog functions, and I gather that they have not been updated to work with newer versions of WP. For example, if I did not have “Postie” and “Category Visibility” plug-ins, my blog would be a different and much inferior place. I simply do not know how to do some very important things that my blog does without those plugins.

    The risk of them not working with an upgrade is higher to me than the risk of being hacked.

  67. I installed WP 2.5 fresh on my site and loved the new features so much that I convinced my client to upgrade his site. It was a breeze, even though he was running something like 2.2.* Thanks for this article warning about the dangers of not upgrading. I will keep this in mind with my work with WP as well as other applications and plugins!

  68. Lee Doyle says:

    I love it. I 100% agree!

    I blog for some big blogs who are still running 2.3.1 and no matter how many times I tell them they will NOT upgrade.

    Hope people listen!

  69. Sid Roberts says:

    I’ve only read a few comments but it seems that it’s a fight between the average Joe, who can’t fix the bugs, and the developers, who can. I’m of the latter group so upgrading is no problem but for the average Joe, they possess neither the time nor the knowledge to sift through the code – it’d just be easier not to upgrade.

    I don’t think it’s better to wait till a later version for bug fixes because the code differences will be even greater so there’s a greater chance of plugin/theme incompatibilities. Instead, I’d recommend checking the compatibility of the plugins and themes installed and upgrading based on that information.

    And with any big upgrade like this, always check on a local installation!

  70. Danny says:

    The plugins I use are vital to the function of my blog, to the way information is posted and presented. My blog would be markedly inferior without a couple of them and could hardly be the same. Most of the plugins, sure, they represent conveniences I could live without, but a couple of them are crucial enough that I prefer not to upgrade and live with the risk, because those plugins are reported not to work with upgrades.

    It’s a rock and a hard place.

    FWIW, I posted a similar comment earlier… but it’s not here. Not sure if that is because of moderation, deletion, or pilot error.

  71. Tay says:

    Agree with the author, security is not a majority of concern until your site were intruded.

    I prefer to use plug-ins as less as possible to avoid upgrade problem. However, WP2.5 comes with auto upgrade plug-ins functionality. It awesome!

  72. Pingback: WP Thoughts » Blog Archive » WordPress NOT Coming Here Soon

  73. Andrew says:

    Hi Dougal,
    I recently blogged about a similar topic to yourself here, and a number of readers commented about that their installation of WP 2.3.3 was hacked. It appears more like it is a server hack then a WordPress hack, but I thought I’d let you know. Keith from unTECHy mentioned it to me in his post (http://www.untechy.com/huge-exploit-in-wordpress)

  74. chris says:

    Ugh — what about sites running WordPress MU… They have really dropped the ball on supporting that one!

  75. Alex says:

    Deleting websites from search engines is a very good way to let people upgrade their site.

  76. Pingback: New look, less spam

  77. Yes having gone through the horror and lost about 5 hours because I upgraded to 2.5 I’d rather wait and see if 2.5.1 is better.

    As a podcaster having my RSS feed working is slightly important, so the fact that the supposedly ‘finished’ WordPress zaps my feed in the new config, well I’d rather have something working and take the risk, rather than something flaky like the new WP.

    And can you switch off those awful nags? Yes I know I ‘should’ upgrade but I also know I ‘should’ have a working blog. Sort it out.

  78. nytexan says:

    In a word WordPress 2.5 “sucks”

    I upgraded to 2.5 two days ago from 2.3.3 and then I reinstalled 2.3.3. With 2.5 I had continual script errors when writing a post or loading the write page. Not to mention the major design flaws…like putting the delete post button next to the save post button.

    I was also very annoyed at the amount of e-mails from my daily readers about their script error problems with loading the blog.

    Technorati is the least of my concerns since they screwed everything with their 180 day rule and revised algorithms last year. They have about as complaints than WordPress 2.5.

    Regarding my page ranking on Google, it’s very good. So your “or else” argument is really not credible.

  79. Pingback: misszoot.com » No. I Still Haven’t Upgraded. Please Forgive Me.

  80. Pingback: Rapidinhas entre 26/03/08 e 20/04/08 | Caraca Maluco!!!

  81. Pingback: WordPress Update & Plugin Request | K-Squared Ramblings

  82. Pingback: Shuttworld.co.uk » Blog Archive

  83. Me says:

    I’ve given 2.5 and then 2.5.1 a shot and I’ve decided that I don’t like the flash uploader thing at all. Why use flash for something that used to work just great without it before?

    I don’t like the new layout of the dashboard screens either. Everything’s in the wrong place, some things have been re-named and in general it’s made just about everything into more of a PITA than I would have believed.

    I am now giving serious consideration to rolling back to 2.3.3 until there is a plugin or patch for 2.5.x that will at least give it the same look and feel as 2.3.3

  84. Christina says:

    Well, this is a useful blog to read!! I totally agree, it’s better if we all update than being spammed unless you have the latest version of WordPress!!

  85. Adrian says:

    Hey dougal I know you recommend everyone to upgrade to 2.5 in this post but it looks like 2.5 had a critical cookie vulnerability, so to the people who are finding this post through google and other search engines should know that if they have old versions they should probably just upgrade to the NEWEST version of wordpress.

    -Adrian

  86. Pingback: Checking Your WordPress Security

  87. Pingback: WordPress Güvenli?ini Sa?lay?n - Harbimi.NET

  88. Phil says:

    Old news but the message still stays the same:
    “Keep your WordPress up2date or die trying!”

  89. thank for your info, this info really helped me ….

  90. v says:

    I think the latest version of wordpress has no security holes. Works fine for me. Thanks

  91. Pingback: Upgrade or else! | Back in a Bit

  92. Pingback: Rapidinhas entre 26/03/08 e 20/04/08 | Caraca Malluco

  93. Pingback: A return to scheduled programming | Deskpoet's observations

Leave a Reply

%d bloggers like this: