Update your WordPress

Updates are easy. They should be easier. Check out our proposal at the end of this post.

This week at Black Hat conference in Las Vegas, security company Qualys presented and released BlindElephant, a utility that scans web sites for insecure web applications. Their research identified that 70 percent of sites running Drupal are affected by critical vulnerabilities, and that the statistics only get worse for Joomla (92%), MediaWiki (95%), phpBB (100%). 1

I received a press release about BlindElephant earlier this week. At the time, I didn’t think much of it. It surely would have gotten my attention, however, had it included their WordPress statistic — 4 percent. (What did catch my attention was this IDG article.)

The application, the source for which Qualys released, isn’t about identifying critical vulnerabilities; it’s about identifying the versions of software that websites run. They made their own determinations which versions had “critical vulnerabilities.” 2 Check out their slides and white paper, both packed with great information and statistics.

For WordPress, they cited version 2.5.1 as the earliest release outside the critical barrier, which fixed an important security flaw in our secret key implementation.

In case you didn’t already know, that 2.5.1 is not secure. We’ve made countless incremental improvements to the security of WordPress in the four major versions and many maintenance and security releases over last two years.

Alas, WordPress has a security perception issue. It’s widely used and widely targeted. Plugins have extended it every which way. Of course, “My WordPress was hacked!!!!111” doesn’t mean that WP is the attack vector. It very rarely is.

But at the same time, WordPress is easy to use and easy to upgrade. Among major open source web applications, it quite possibly leads in both categories, and its developers and contributors have worked hard to make it that way.

That brings me back to BlindElephant. Their white paper says they checked more than 25,000 WordPress installs and found the vast majority of them to be running WordPress 2.9 or higher. Qualys cited the “application’s easy, reliable updating design” as why we have such a clear advantage. I’m down with that.

WordPress 3.0.1 and beyond

This post’s title comes from the 3.0.1 haiku. If you’re not running 3.0.1, please update. It’s easy, usually always painless, and will provide you (and me) peace of mind. But we do have goals to make it even easier. With that, I leave you with one such proposal, from Daryl Koopersmith (@darylkoop) and me: If you fall behind on your updates, we’re thinking a modal dialog box with a twist. What do you think? 3


  1. The Drupal number may be slightly high, as this comment points out, as Drupal 5.22 may have been incorrectly classified as critical. (Their slides were not kind on Drupal, so I am unsure of the intention.)
  2. WordPress and Drupal in particular received additional attention of the researchers, as a few dozen popular plugins and modules were also inspected.
  3. Please know we’re not being serious. We do have plans, but this isn’t it. Well, probably.

Published by

Andrew Nacin

Lead developer of WordPress, living in Washington, D.C. Follow me on Twitter.

27 thoughts on “Update your WordPress”

  1. I’d like to see a future release of WP come with an auto-update option (that is activated by default). A new release comes out, WP automatically updates itself. The only downside is if an update breaks something but that’s why backups are mandatory!

    1. I’m strongly against that. How is the average user supposed to back up their blog before upgrading if it upgrades itself? There are much better ways (overlays, e-mailing the blog’s author, etc.). Plus it’s not that unusual for a poorly coded plugin/theme to break after an upgrade.

      My blog updates every hour and backups nightly, but I’m not the average user.

  2. Generally, things that probe my server trying to id my software get blocked. Then again, the WP version is fairly prominent, so it’s not a big deal.

    I actually endorse WordPress to start deactivating functionality after it is a certain number of days old or the version is significantly out-of-date. http://www.planetmike.com/goto/874

  3. Did WP 2.5.1 look like that, I think those were the days? 😉 Had a little chuckle when I noticed what the ”Skip” button was doing (it is however broken like Alex said, I clicked on it a number of times, but it was on the run for a while!) 😛

  4. After updating to WP3.0.1 my site doesn´t work propper
    The plugin wp-simpleviewer is not compatible.
    I´m a WP newbee and do not know how to fix this

  5. I´ve shut down all plugin and one bij one activated them.
    It seems like wp-simpleviewer and W3 Total Cache can´t coexist in WP3.0.1
    W3 Total Cache is the cource Wp-simpleviewer doesn´t work properly

  6. “Piece of mind” is spelled with an “a”. Did they say anything about XMB? Seems like phpBB’s 100% failure rate shouldn’t be too hard to beat. And how does bbpress stack up?


    1. Thanks, I thought I had fixed that typo. They didn’t mention XMB, but I’m certainly hoping it beats phpBB. bbPress was not looked at. They did however look at 25 WordPress plugins, including BuddyPress. Here’s the list:

      add-to-any, advertising-manager, akismet, all-in-one-seo-pack, buddypress, contact-form-7, gd-star-rating, google-analyticator, google-sitemap-generator, newsletter, nextgen-gallery, polldaddy, simple-tags, smart-youtube, sociable, stats, subscribe2, tinymce-advanced, twitter-tools, wp-e-commerce, wp-pagenavi, wp-spamfree, wp-super-cache, wp-useronline, wptouch, yet-another-related-posts-plugin

    1. That’s a Twenty Ten thing. Removed in r14384 it seems. Most browsers auto-detect RSS feeds, though yeah, I’d admit that I would be doing the same search on the page for the link.

        1. I can’t speculate. It should probably be returned. I believe it was part of an effort to remove references to the trackback link, which really just took up space.

          I’ll inquire as to its disappearance.

        1. Chrome doesn’t do this out of the box (yet). It’s my preferred browser (same for miqrogroove), and at this point I only use Firefox for development.

          1. All modern browsers automatically display the link to the RSS feeds in your address bar.

            Emphasis added. 😛

            You know you’re in trouble if Internet Explorer does something your browser can’t.

          2. Now now… There’s an official (by Google) Chrome extension that’s as good as the Firefox implementation.

            I prefer browsers that aren’t weighed down by memory leaks and design by committee 😉

          3. Pfft, so what if my copy of Firefox is currently using 997MB of RAM? 😛

            (Been open for days with hundreds and hundreds of tabs and lots of extensions. Not a big deal though as I’m only using 54% of my RAM.)

        2. Yeeeup, it gives me the blog feed. Auto discovery and content negotiation fall flat on their face, and there’s no way to find the feed without guessing or looking at the HTML headers.

  7. [url=http://www.tory-burch-salesoutlet.net]tory burch sale[/url] a Cool Summer Tory Burch will company with you and you can really enjoy an special and cool summer holiday. Every summer, the flip flops will play a vital role in our daily life. Almost everyone will wear it. One of my friends say that he has flip flops to spend the summer. They are used for wearing, decoration and sometimes they are used for showing handsome. But, the problem is occurred. Many flip flops are easy to broken down. My best friend David then thought a good idea that he use
    [url=http://www.tory-burch-salesoutlet.net]tory burch outlet[/url] Kraft paper bag sets in the feet. That is really a big joke which people all look at him when he walked in the street. Some children even say that he is a mad and is crazy. Then he realized that it must be a nightmare which leads him to dump the crowd for several weeks. That is amazing and unbelievable. At last, I cannot undertake it, so I recommend him to buy one pair of Tory Burch Flip Flop. At first, my friend does not pay attention to it and think that it is useless. Later, he said
    [url=http://www.tory-burch-salesoutlet.net]tory burch handbags[/url] that it is the best flip flop he had ever used. As we all know that Tory Burch is a famous brand which is loved by many young people. And now it has gained more and more popularity among the common people. People all say that Tory Burch is worthy to be owned by you. That is totally right. Now, the hot summer will come. If you want to make your summer become a beautiful memory, please act now and buy Tory Burch Flip Flops then you will gain a lot. More and more people are game
    http://www.tory-burch-salesoutlet.net loverand they often Buy Wow Gold online. I am also the fun of game. I konw a place where can buy dicount and cheap Wow Gold. Tory burch women’s clothes style in 2012 spring Designers Tory.Burch find inspiration from New Mexico, given the Tory Burch 2012 early spring vacation series of women’s deep ranch style. Gorgeous large flower pattern, in long skirt and loose two-piece dresses on the false bloom, clay red duffle coat with printed blue lake straight pant, are shown in New Mexico

Comments are closed.