When is the best time to upgrade your blog software?
- After the latest release has been out for a few weeks?
- When a release is so new it’s burning a hole in the ftp servers?
- When there have been a couple of releases because idonthavethetimetoupdateeverysingletime?
- Now?
The best time is right now. Spammers are taking advantage of exploits in old versions of WordPress and inserting hidden spam links in posts and using WordPress powered blogs to distribute viruses and malicious software. They’re also using these exploits to run their own code on your server.
This morning I spotted an Irish blog in my feedreader that had hidden links added to it. I contacted the blog owner and she’s going to upgrade her blog soon.
The best way of stopping them is by downloading the latest version of WordPress which at the moment is 2.3.3 2.5 and if you use use WordPress MU you should download version 1.3.3 of that. Once you’ve upgraded change the passwords of all your users. On WordPress MU sites, it’s probably enough to ask any user with site_admin access to change their password. To make your life easier, try the WordPress Automatic Upgrade plugin. I haven’t used it yet but it works for a lot of people.
If you suspect that your blog has been compromised and you have already upgraded then please change your passwords and overwrite your current install with the files from a newly downloaded copy of WordPress. It’s worth checking that no extra php files have been added too.
Running your own blog is about more than just writing and contributing to the blogosphere conversation. You also have an important responsibility to be a good ‘net citizen by keeping your software up to date.
If you absolutely cannot upgrade straight away then adding a .htaccess file in your wp-admin/ directory and adding another username and password level of authentication might help. This page describes how to do that, but it is no substitute for upgrading to WordPress 2.3.3 2.5. You should delete you xmlrpc.php too, thus depriving yourself of pingbacks and desktop blog posting abilities.
Go on, upgrade. After you do it once it doesn’t seem so scary.
Update! To find any posts with hidden links search your posts for any of the following:
- display:none;
- height:0
You can use the Search box on the posts edit page, or phpMyAdmin.
Open up phpMyAdmin, go to wp_posts, click Search and in the box next to post_content type %string% where string is one of the two options above.
That may return posts that don’t have any hidden links but it’s better to be safe than sorry.
If you like this post then please subscribe to my full RSS feed. You can also click here to subscribe by email. There are also my fabulous photos and funny videos to explore too!
Tags: irishblogs, WordPress, wordpressmu
Random Tweet: @gavreilly haha, it also means "to find" :) #
March 28th, 2008 at 5:25 pm
ok ok you twisted my arm, im upgrading with plugin installed. If you cant listen to your fellow people then who should you trust.
March 28th, 2008 at 5:57 pm
I would be convinced if upgrading WP weren’t such an extraordinary headache. Plugins break, critical functionality is lost–it’s a nightmare if you’re doing anything non-standard with your blog. So sure, if you run a safe and happy default setup why not upgrade now? Anything more complicated and you’re generally better off waiting.
Two oft-touted WP claims:
- WP is infinitely extensible
- WP is more than a blog; it can be a CMS too
Those claims are valid but they don’t mesh well with the whole “upgrade NOW!!!” messaging piped out through messages like this. If you want to extend WP you’re stuck chasing lazy plugin authors who have no vested interest in upgrading their work (woe be to the blogger that learns to rely on some special piece of functionality they couldn’t code themselves). And of course, plugins are usually required to make a real CMS of Wordpress. It’s a shockingly easy cycle to get into: spruce up your WP install, fail the next upgrade, scramble to look for updates or fixes when your crucial plugins break, and then repeat three months later.
2.5 looks cool… but no thanks, I’ll wait a little while.
March 28th, 2008 at 7:08 pm
I couldn’t agree more. My site languished in version 1.x for months, until I came across the WPAU plugin, did a full root backup, launched, it and leaped to 2.3.3…one fell-swoop. Site fully updated. Did the same for all my other blogs and wrote about the experience on Sciencetext.com
db
March 28th, 2008 at 7:34 pm
Yep, got hit with that one as well. Instinctively, I upgraded WP and changed my password.
March 28th, 2008 at 7:45 pm
Absolutely spot on… especially that plugin. I even used it to upgrade a couple blogs of mine to 2.5-RC2. Worked like a charm!
March 28th, 2008 at 8:44 pm
Upgrade, scary? I’ve never had a piece of software so easy to upgrade. I’m running 2.5 RC2 and having a blast. Hadn’t heard of the Auto upgrade plugin. Will have to try that soon.
March 28th, 2008 at 9:30 pm
Will an upgraded version of WordPress-MU and BBpress be released with WP 2.5?
I really don’t want problems integrating them.
March 28th, 2008 at 9:32 pm
I had hidden links ON 2.3.3. O_O
March 28th, 2008 at 9:38 pm
Iva - if that was a brand new install, without upgrading, can you email security @ wordpress.org then? I’d love to hear more!
Christopher - MU will follow shortly after 2.5 is released, but I’m not sure about bbpress.
March 28th, 2008 at 9:40 pm
How can you tell if you have hidden links?
If they are hidden how can you spot them?
March 28th, 2008 at 9:56 pm
Donncha, thanks for responding to me and sorry that my initial comment up there was so, well, lame. I didn’t want to write a whole novel before being sure that this is actually a “new” kind of a problem.
The story goes like this: I have been using WP since 1.2 on a very large website and I’m always erasing things completely before each upgrade according to the manual (apart from and I was not using any sort of an automated installation gizmo (the website in question is hosted with Servage). I check every single folder of the installation every day, my .htaccess is properly CHMOD’ed, yet I ended up with “yayayayayaya” randomly added at the end of my index.php file and, the week before, the gallery on my site, powered by Gallery2 and using the WPG2 plugin, had zillions of spam links inserted into it twice.
That is why I’m not 100% sure if it’s WP, Gallery2 or both, as the “yayayayayaya” thing happened after the gallery no longer had security issues.
My other sites, including the one posted with my comments, did not have that problem. And they all run on WP 2.3.3; but they’re hosted on a server with control panel and the more “usual” set-up.
March 28th, 2008 at 10:00 pm
I’ve always kept up to date with mine, i was wondering, how would i tell if my site has hidden links or suchlike?
I’m pretty sure my install is clean, i upload new trunk / rc most days at the moment..
March 28th, 2008 at 10:01 pm
Iva - change your passwords, including your admin password even if you never login as that user. That should stop them! I’ll email you further details.
March 28th, 2008 at 10:03 pm
I will do it right now, thanks for help! Seems it’s serious. Ouch. O_O
March 28th, 2008 at 10:12 pm
Donncha,
Thanks for the feedback. I guess I’ll have to cross my fingers and hope that they will be updated quickly.
March 28th, 2008 at 10:17 pm
George, they usually add it AFTER everything else.
March 28th, 2008 at 10:20 pm
George - I updated my post with those instructions. It’s easy enough to use the posts search box to find them.
March 28th, 2008 at 10:21 pm
Christopher - you should upgrade to 2.3.3, you’re almost there and the jump to 2.3.3 is a small one!
March 28th, 2008 at 10:59 pm
Actually, it is worth waiting for 2.5. Otherwise you’ll need to upgrade in a few weeks anyway. It isn’t worth updating until then.
March 28th, 2008 at 11:00 pm
So if I’m reading the sentence on xmlrpc.php correctly– If I don’t want to accept pingbacks and I don’t use any desktop applications to manage my WP install, can I safely delete xmlrpc.php anyway? (Even though I’m all patched to 2.3.3)
March 28th, 2008 at 11:18 pm
dfb - not if you get hacked in the meantime. You’re better off upgrading immediately, there’s no good reason not to.
Tim - those are the main uses for it but you can delete that file without damaging the core blogging capability of WordPress. Other things may very well stop working though.
March 28th, 2008 at 11:58 pm
“Christopher - you should upgrade to 2.3.3, you’re almost there and the jump to 2.3.3 is a small one!”
I have upgraded a few of my sites to 2.3.3 They all use 2.3.x right now. It just takes so long to get all the files uploaded with my slow connection. The upgrade plugin doesn’t work for me *sigh*
That’s why I’m waiting for 2.5 and the corresponding versions of MU and bbpress.
March 29th, 2008 at 12:54 am
I’m on version 2.2 which is only a little bit behind. And I don’t think I get enough traffic to worry about spammers, but who knows. What concerns me about this Upgrade Now idea is that I can upgrade my own Wordpress install but what about all those other ones that I’ve created? I created the site for them so I still have their login details knocking about somewhere. Should I go ahead and upgrade them on their behalf?
Is it really that urgent?
March 29th, 2008 at 8:54 am
Arup - it really is urgent. If your site can be found through a Google search then you’re vulnerable. Any older WP install should be upgraded ASAP.
It’s becoming obvious that a dedicated group of hackers or script kiddies are targeting older installs. Not upgrading is like not getting the flu jab when you’re in the high risk categories. It doesn’t make sense not to.
Christopher - you could try moving all your WordPress installs into one folder and using a switch statement in wp-config.php based on the domain name. I have a number of sites running off one install and upgrading them all is dead easy. Must blog about that ..
March 29th, 2008 at 12:50 pm
>>Rex
Did you read the post??? Donncha was referring to upgrading your Wordpress installation to 2.3.3 , NOT the RC of 2.5 !
March 29th, 2008 at 9:09 pm
2.5 was released today. Get your upgrades going!
March 30th, 2008 at 12:36 pm
The thing that always worries me is this: 2.3.3 is a known quantity and has had several security updates. 2.5 has a lot of new code — what if it has vulns in it? (It almost certainly has, just as 2.3.0 did).
Isn’t No. 1 above the best option — wait a while for the first 2.5.x security update?
BTW Donncha I’d love to hear how you run several sites off one install!
March 30th, 2008 at 12:44 pm
Thanks for the help Donnacha : )
Working like a dream!
March 30th, 2008 at 6:50 pm
Not really. Security updates that would have been put into 2.3.3 (and called 2.3.4 or whatever) will most likely be put into 2.5 and the vulnerabilities left in 2.3.3. So your choice, risk that nothing major has been left out of 2.3.3 or go to 2.5 and know that it’s as secure as it can be on release date.
If anything is found post-release, 2.5.x will be released.
For people with slow connections, why not try the SVN upgrade method?
March 31st, 2008 at 1:13 am
Donncha, how many sites do you have that use the same set of files?
I maintain multiple sites on one set of WordPress files (see my experience here) and I find upgrading anything, even a plugin, to be a lot of work because I have to visit every site, disable plugins, upgrade, then visit each site again to enable plugins.
Do you have a different procedure? How do you upgrade quickly when using the same set of files?
Thanks,
David
March 31st, 2008 at 7:40 am
David - sure. I think there’s 4 or 5 sites using the one install of WP. I just copy the upgraded plugin files into the plugin directory overwriting the old versions. It’s always worked for me so far and upgrades those sites immediately. I don’t bother deactivating and activating the plugins.
March 31st, 2008 at 10:23 pm
For the record, Ray’s argument swayed me and I upgraded (well, I love new stuff, so I was probably going to do it anyway
).
WP 2.5 really is lovely!
Only one thing threw me, and I think this happened to me before — when visiting upgrade.php, I just sat there, refreshing occasionally, expecting something to happen. I didn’t realise the big “Upgrade Wordpress” at the bottom was actually a link you had to click! Could do with being styled a bit more “link” like. Or maybe it’s just me.
April 1st, 2008 at 7:05 pm
i haven’t upgraded to 2.5 yet…i’ll hold out another few days I think.
April 2nd, 2008 at 4:08 am
Just wondering if something can be done about the font size on Wordpress (I’m with global teacher which uses wordpress + edublog). The only way to change the font is by selecting the text to a different sized header (so ti comes out in bold). Being able to change the line spacing and font size would be great.
Also, wonder if there is a glitch with uploading webslides and videos. Had a terrible time trying to do this despite webslides saying “past this code into your wordpress blog”.
Many thanks
Marie
April 2nd, 2008 at 9:36 am
Marie - unfortunately that’s a theme dependent problem, although I must say I haven’t had a problem reading any of the WordPress blogs I come across (apart from the classic theme, that looks awful in Linux!)
I guess you’re probably using the Visual editor? Switch to HTML and pasting in the embed and img code will work.
April 2nd, 2008 at 2:47 pm
Hi,
I’m upgrading right now. Nevertheless, I’m a little scared
Will my theme still work after the upgrade? Will my backups backup everything?
Regarding the embed problems: I know them very well.
Even if I embed the code in the code tab - this code corrupts somehow when saving the entry more than one time. This corrupts the site design too.
I have to delete the code then and embed the original one. If I want to change something, I have to embed the original code everytime I save!
It’s really annoying. Anybody experienced similar oddities?
Thanks for this article,
Christian
April 2nd, 2008 at 11:43 pm
It’s weird - I’ve never found ANYTHING as easy to upgrade as WordPress -all I ever do is drag and drop the new version into my web site folder and bang, there she is… upgraded. Granted, there’s been the odd issue with some plugins, but never anything major!
April 3rd, 2008 at 1:40 pm
There is never a better time to upgrade? But when will you upgrade wordpress mu to the latest version? Are you guys working on it? There is no news about it whatsoever.
April 3rd, 2008 at 1:52 pm
Marcie - I’m working on it and mentioned it a few times on the forum. Hopefully have an RC for people to test soon.
April 3rd, 2008 at 6:09 pm
Before upgrading, I do check to see if all my critical plugins have been certified as compatible on the Wordpress site, or just visit each of the critical plugins’ websites to see if anyone else is having any problems. Notice I said CRITICAL plugins. If it’s just a “nice to have” plugin then I’ll upgrade and just see if it still works.
April 9th, 2008 at 11:17 pm
One issue I had is that the admin log in page after upgrading seems to have no style sheet attached. Also, my 2.5 version had much less files in the wp-content folder.
April 9th, 2008 at 11:18 pm
This is of course, not on my blog, which is host by wordpress.org but on a test site I run on my computer (im testing before I make the real change on a clients site)
April 13th, 2008 at 3:49 am
There’s also the post by Matt Cutts with some good tips.
http://www.mattcutts.com/blog/.....tallation/
And
Stopbadware.org
http://googlewebmastercentral......-what.html
And if this gets past your akismet, I’ll be surprised.
Chris
April 19th, 2008 at 5:28 pm
I have a friends blog I upgraded to 2.2 and am having problems uploading photos.
There’s an extra hash mark in the link after secretgarden
IE http://raineweaver.com/secretgarden//
Even taking it out doesn’t make photos appear and i have no idea hwo to fix.