Should You Upgrade WordPress?
Image by Heraklit WordPress 2.5 came out just under 2 weeks ago, and since then there have been a stream of "Reasons to Upgrade" posts. Well, what about reasons not to upgrade?
The Security Thing
Security is a good reason to upgrade, but it's not always as good a reason as it might seem. Some blogs over-emphasize the risks of security, to get you to upgrade.
For instance, the normally excellent Weblog Tools Collection wrote about security holes due to free themes, and then said "The moral of this story is that you need to upgrade your WordPress blog now to WordPress 2.5."
Upgrading to WordPress 2.5 will not solve exploits coming from your theme. You must resort to other measures to do that. As a respected WordPress authority, it wasn't fair for them to imply otherwise.
WordPress 2.5 packed a host of new features into it, but how big were the security fixes? Not very; just a more secure login. That makes sense; security fixes are for the minor releases, not the majors.
And if WP 2.3.3 has had 3 versions to fill up holes in the 2.3 release, and WP 2.5 has had no patch-ups but a whole load of new feature code, is it possible that WP 2.3.3 is actually more secure than 2.5? I don't know, but I'd love to hear opinions.
It Isn't Broken, Don't Try to Fix It
If your blog is working the way you want it to, why try to fix it? There are 3 good reasons to leave things alone:
- Not all plugins work with new versions of WP.
- It takes time to upgrade.
- New features in WP may have no appeal to you.
I'm perfectly happy with WordPress 2.3. The new features in 2.5 are great, but not for me. The only reason I would upgrade is to keep up with security.
Should WordPress take this into account? Offering minor releases for many versions of WordPress is not plausible, but perhaps security updates could be given via a plugin? Again, I'd love to hear opinions on whether or not that is a possibility.
How I Do It
I tend to upgrade based on 3 rules:
- Never upgrade to a major release immediately. Things will never be perfect in the first try, and version 2.x.1 is always soon to follow. Save yourself some time by waiting for it.
- Check plugin compatibility first. If it's poor, don't upgrade major releases. You can test compatibility by looking for the plugin in the codex compatibility page, or reading the latest comments on the plugin's home page.
- Always upgrade to minor releases (e.g. 2.3.2 -> 2.3.3). Minor upgrades rarely cause plugin incompatibilities, which makes the upgrade a fast process, and they usually fix security holes, which will appeal to everyone. So a minor upgrade bypasses all 3 of the reasons not to upgrade.
I'm not running 2.5 yet, and have no plans to for a while. What about you?
Enjoy this post? Get future updates sent to you for free! Join by email or RSS.
About the Author - Michael Martin is the founder of Pro Blog Design. He works as a freelance web designer, loves WordPress, and has an unhealthy addiction to smilies. Written on 14th April 2008.
16th June, 6:05 am GMT
Can't say about "more stable" - I didn't have a chance to use WP 2.3 for a long time.
Faster - yes (they have finally added several indices to the tables, although there are a few they have forgotten about). Of course, if you have a fast server, you won't probably notice these changes.
They also have upgraded TinyMCE to 3.0.6 (personally I don't use WYSIWYG, but 3.0.6 produces more clean code and less buggy than its 2.x ancestor).
WordPress became more secure (you are using 2.3.1, aren't you). E.g., 2.3.x branch (at least up to 2.3.3) is vulnerable to directory traversal (because of insufficient handling of $_GET['cat'] in index.php befoire calling get_category_template() in wp-includes/theme.php. remote user could see any file on the system. Although this works only for Windows); WP 2.3.x due to a bug in xmlrpc.php allows to edit someone else's post; in WP 2.3.1 if I have administrative privileges (can access wp-admin) I can view another user's (even administrator) drafts; in 2.3.1, index.php?exact=1&sentence=1&s=%b3%27)))[SQL] allows to execute an arbitrary SQL statement (only Chinese blogs are affected, though); because wp-admin/edit-post-rows.php does not handle $_REQUEST['posts_columns'], this allows an XSS attack.
Finally, if I have read only access to wp_users table (I can do this by exploiting SQL injection vulnerability - let us leave the details), I can log in as you even without knowing your password. BTW, this vulnerability is widely exploited
- you have probably heard about so called "wp_footer exploit" (search google for "search engine marketeers are the new script kiddies").
So, have I convinced you to upgrade?
16th June, 6:37 am GMT
Don't sing it, just bring it:
I won't disclose any private information, but this one will convince you that your WP installation is vulnerable (I did not do anything harmful, just got the data):
* WP Table prefix: wpbbd_;
* site's home directory is /nfs/c02/h05/mnt/22870/domains/problogdesign.com/html/;
* enough for now
24th June, 1:08 am GMT
Well that's scary! xD
Well done. You clearly know the security issues well!
*Adds upgrading WP to to-do list*