security
Image by Heraklit
WordPress 2.5 came out just under 2 weeks ago, and since then there have been a stream of “Reasons to Upgrade” posts. Well, what about reasons not to upgrade?

The Security Thing

Security is a good reason to upgrade, but it’s not always as good a reason as it might seem. Some blogs over-emphasize the risks of security, to get you to upgrade.

For instance, the normally excellent Weblog Tools Collection wrote about security holes due to free themes, and then said “The moral of this story is that you need to upgrade your WordPress blog now to WordPress 2.5.”

Upgrading to WordPress 2.5 will not solve exploits coming from your theme. You must resort to other measures to do that. As a respected WordPress authority, it wasn’t fair for them to imply otherwise.

WordPress 2.5 packed a host of new features into it, but how big were the security fixes? Not very; just a more secure login. That makes sense; security fixes are for the minor releases, not the majors.

And if WP 2.3.3 has had 3 versions to fill up holes in the 2.3 release, and WP 2.5 has had no patch-ups but a whole load of new feature code, is it possible that WP 2.3.3 is actually more secure than 2.5? I don’t know, but I’d love to hear opinions.

It Isn’t Broken, Don’t Try to Fix It

If your blog is working the way you want it to, why try to fix it? There are 3 good reasons to leave things alone:

  • Not all plugins work with new versions of WP.
  • It takes time to upgrade.
  • New features in WP may have no appeal to you.

I’m perfectly happy with WordPress 2.3. The new features in 2.5 are great, but not for me. The only reason I would upgrade is to keep up with security.

Should WordPress take this into account? Offering minor releases for many versions of WordPress is not plausible, but perhaps security updates could be given via a plugin? Again, I’d love to hear opinions on whether or not that is a possibility.

How I Do It

I tend to upgrade based on 3 rules:

  • Never upgrade to a major release immediately. Things will never be perfect in the first try, and version 2.x.1 is always soon to follow. Save yourself some time by waiting for it.
  • Check plugin compatibility first. If it’s poor, don’t upgrade major releases. You can test compatibility by looking for the plugin in the codex compatibility page, or reading the latest comments on the plugin’s home page.
  • Always upgrade to minor releases (e.g. 2.3.2 -> 2.3.3). Minor upgrades rarely cause plugin incompatibilities, which makes the upgrade a fast process, and they usually fix security holes, which will appeal to everyone. So a minor upgrade bypasses all 3 of the reasons not to upgrade.

I’m not running 2.5 yet, and have no plans to for a while. What about you?

Enjoy this post? You should follow me on Twitter!