UPDATE 2008-04-16: Well crud. I was just re-reading the WP 2.5 announcement post for something else, and spotted a bit about security updates between 2.3.3 and 2.5. So my previous advice about 2.3.3 being okay was incorrect. This is one of the areas where I disagree with the core developement team — if it was up to me, there would be a 2.3.4 security release for those who have good reasons why they can’t upgrade to 2.5 right now.
Okay, people, if you are running any version of WordPress older than 2.3.3 2.5*, you need to upgrade now. Seriously. WordPress 2.3.3 and older have security holes that are being actively exploited by hackers to inject spam links into blogs which are not maintained. And search engines like Technorati are de-listing hacked blogs. Are you listening now? Do I have your attention? Upgrade your web apps before you get hacked and your site drops off the search-engine radar.
While the Technorati article specifically talks about WordPress sites, this goes for any web application. You need to pay attention to updates which are released, and upgrade whenever a security probem is fixed. WordPress gets particular attention due to its popularity and the sheer number of installed sites out in the wild. But it is no more or less secure than any other similar web application. So whatever you’re running, keep it up-to-date.
And the same goes for any add-ons — if you install third-part plugins or themes, make sure you keep up with updates. WordPress 2.5 makes updating plugins easier than ever. Review your Plugins page from time to time, and pay attention when it tells you that a newer version of a plugin is available.
I see comments from people all the time saying that they don’t want to upgrade because it might break this theme or that plugin that they have installed. To those people, I say, GET OVER IT. The security of your site is important. If some theme or plugin is not compatible with a newer version of WordPress, ask the author politely to update it. Or find a replacement. Or live without it. I have in excess of 25 plugins active here. But there’s not one of them that I would hesitate to deactivate when it comes to security of my site.
There are several ways to keep up with new WordPress releases. The Dashboard shows you all sorts of news from the WP community, including announcements from the Development Blog. There are several mailing lists. If those lists are too noisy for you, you can get just release announcements by signing up on Freshmeat.net and subscribing to the WordPress Project. I normally submit the Freshmeat update within 24 hours of an official release.
* One exception is WordPress version 2.0.11 (or the 2.0 svn branch, more generally), which is maintained with security updates for the Debian package.
Related posts:
- Important: Upgrade to WordPress 2.1.2
" In the interest of getting the word out as quickly and as widely as possible, a brief word about a new WordPress release: If..." - WordPress 2.2.2 Released
" There is a new security & bugfix release: WordPress 2.2.2. There are no new features in this version. Since it is a security release,..." - WordPress 2.2.1 Released
" WordPress 2.2.1 is now available. Most of the changes are minor bug fixes, however there are some security fixes as well. We can’t stress..." - WordPress 2.0.4
" All WordPress users are encouraged to upgrade to the newest release, WordPress 2.0.4. The new release contains several important security updates, so you are..." - WordPress 1.5.1.3
" An important security issue was brought to our attention which required an update for our users. You should update your blog as soon as..."
64 Comments
I love it. I 100% agree!
I blog for some big blogs who are still running 2.3.1 and no matter how many times I tell them they will NOT upgrade.
Hope people listen!
I’ve only read a few comments but it seems that it’s a fight between the average Joe, who can’t fix the bugs, and the developers, who can. I’m of the latter group so upgrading is no problem but for the average Joe, they possess neither the time nor the knowledge to sift through the code – it’d just be easier not to upgrade.
I don’t think it’s better to wait till a later version for bug fixes because the code differences will be even greater so there’s a greater chance of plugin/theme incompatibilities. Instead, I’d recommend checking the compatibility of the plugins and themes installed and upgrading based on that information.
And with any big upgrade like this, always check on a local installation!
The plugins I use are vital to the function of my blog, to the way information is posted and presented. My blog would be markedly inferior without a couple of them and could hardly be the same. Most of the plugins, sure, they represent conveniences I could live without, but a couple of them are crucial enough that I prefer not to upgrade and live with the risk, because those plugins are reported not to work with upgrades.
It’s a rock and a hard place.
FWIW, I posted a similar comment earlier… but it’s not here. Not sure if that is because of moderation, deletion, or pilot error.
Agree with the author, security is not a majority of concern until your site were intruded.
I prefer to use plug-ins as less as possible to avoid upgrade problem. However, WP2.5 comes with auto upgrade plug-ins functionality. It awesome!
Hi Dougal,
I recently blogged about a similar topic to yourself here, and a number of readers commented about that their installation of WP 2.3.3 was hacked. It appears more like it is a server hack then a WordPress hack, but I thought I’d let you know. Keith from unTECHy mentioned it to me in his post (http://www.untechy.com/huge-exploit-in-wordpress)
Ugh — what about sites running Wordpress MU… They have really dropped the ball on supporting that one!
Deleting websites from search engines is a very good way to let people upgrade their site.
Yes having gone through the horror and lost about 5 hours because I upgraded to 2.5 I’d rather wait and see if 2.5.1 is better.
As a podcaster having my RSS feed working is slightly important, so the fact that the supposedly ‘finished’ Wordpress zaps my feed in the new config, well I’d rather have something working and take the risk, rather than something flaky like the new WP.
And can you switch off those awful nags? Yes I know I ’should’ upgrade but I also know I ’should’ have a working blog. Sort it out.
In a word WordPress 2.5 “sucks”
I upgraded to 2.5 two days ago from 2.3.3 and then I reinstalled 2.3.3. With 2.5 I had continual script errors when writing a post or loading the write page. Not to mention the major design flaws…like putting the delete post button next to the save post button.
I was also very annoyed at the amount of e-mails from my daily readers about their script error problems with loading the blog.
Technorati is the least of my concerns since they screwed everything with their 180 day rule and revised algorithms last year. They have about as complaints than WordPress 2.5.
Regarding my page ranking on Google, it’s very good. So your “or else” argument is really not credible.
I’ve given 2.5 and then 2.5.1 a shot and I’ve decided that I don’t like the flash uploader thing at all. Why use flash for something that used to work just great without it before?
I don’t like the new layout of the dashboard screens either. Everything’s in the wrong place, some things have been re-named and in general it’s made just about everything into more of a PITA than I would have believed.
I am now giving serious consideration to rolling back to 2.3.3 until there is a plugin or patch for 2.5.x that will at least give it the same look and feel as 2.3.3
Well, this is a useful blog to read!! I totally agree, it’s better if we all update than being spammed unless you have the latest version of WordPress!!
Hey dougal I know you recommend everyone to upgrade to 2.5 in this post but it looks like 2.5 had a critical cookie vulnerability, so to the people who are finding this post through google and other search engines should know that if they have old versions they should probably just upgrade to the NEWEST version of wordpress.
-Adrian
Old news but the message still stays the same:
“Keep your Wordpress up2date or die trying!”
thank for your info, this info really helped me ….
27 Trackbacks