There's never been a better time to upgrade WordPress

When is the best time to upgrade your blog software?

  1. After the latest release has been out for a few weeks?
  2. When a release is so new it’s burning a hole in the ftp servers?
  3. When there have been a couple of releases because idonthavethetimetoupdateeverysingletime?
  4. Now?

The best time is right now. Spammers are taking advantage of exploits in old versions of WordPress and inserting hidden spam links in posts and using WordPress powered blogs to distribute viruses and malicious software. They’re also using these exploits to run their own code on your server.

This morning I spotted an Irish blog in my feedreader that had hidden links added to it. I contacted the blog owner and she’s going to upgrade her blog soon.

The best way of stopping them is by downloading the latest version of WordPress which at the moment is 2.3.3 2.5 and if you use use WordPress MU you should download version 1.3.3 of that. Once you’ve upgraded change the passwords of all your users. On WordPress MU sites, it’s probably enough to ask any user with site_admin access to change their password. To make your life easier, try the WordPress Automatic Upgrade plugin. I haven’t used it yet but it works for a lot of people.

If you suspect that your blog has been compromised and you have already upgraded then please change your passwords and overwrite your current install with the files from a newly downloaded copy of WordPress. It’s worth checking that no extra php files have been added too.

Running your own blog is about more than just writing and contributing to the blogosphere conversation. You also have an important responsibility to be a good ‘net citizen by keeping your software up to date.

If you absolutely cannot upgrade straight away then adding a .htaccess file in your wp-admin/ directory and adding another username and password level of authentication might help. This page describes how to do that, but it is no substitute for upgrading to WordPress 2.3.3 2.5. You should delete you xmlrpc.php too, thus depriving yourself of pingbacks and desktop blog posting abilities.

Go on, upgrade. After you do it once it doesn’t seem so scary.

Update! To find any posts with hidden links search your posts for any of the following:

  1. display:none;
  2. height:0

You can use the Search box on the posts edit page, or phpMyAdmin.
Open up phpMyAdmin, go to wp_posts, click Search and in the box next to post_content type %string% where string is one of the two options above.
That may return posts that don’t have any hidden links but it’s better to be safe than sorry.

48 thoughts on “There's never been a better time to upgrade WordPress

  1. ok ok you twisted my arm, im upgrading with plugin installed. If you cant listen to your fellow people then who should you trust.

  2. I would be convinced if upgrading WP weren’t such an extraordinary headache. Plugins break, critical functionality is lost–it’s a nightmare if you’re doing anything non-standard with your blog. So sure, if you run a safe and happy default setup why not upgrade now? Anything more complicated and you’re generally better off waiting.

    Two oft-touted WP claims:
    – WP is infinitely extensible
    – WP is more than a blog; it can be a CMS too

    Those claims are valid but they don’t mesh well with the whole “upgrade NOW!!!” messaging piped out through messages like this. If you want to extend WP you’re stuck chasing lazy plugin authors who have no vested interest in upgrading their work (woe be to the blogger that learns to rely on some special piece of functionality they couldn’t code themselves). And of course, plugins are usually required to make a real CMS of WordPress. It’s a shockingly easy cycle to get into: spruce up your WP install, fail the next upgrade, scramble to look for updates or fixes when your crucial plugins break, and then repeat three months later.

    2.5 looks cool… but no thanks, I’ll wait a little while.

  3. I couldn’t agree more. My site languished in version 1.x for months, until I came across the WPAU plugin, did a full root backup, launched, it and leaped to 2.3.3…one fell-swoop. Site fully updated. Did the same for all my other blogs and wrote about the experience on Sciencetext.com

    db

  4. Upgrade, scary? I’ve never had a piece of software so easy to upgrade. I’m running 2.5 RC2 and having a blast. Hadn’t heard of the Auto upgrade plugin. Will have to try that soon.

  5. Iva – if that was a brand new install, without upgrading, can you email security @ wordpress.org then? I’d love to hear more!

    Christopher – MU will follow shortly after 2.5 is released, but I’m not sure about bbpress.

  6. Donncha, thanks for responding to me and sorry that my initial comment up there was so, well, lame. I didn’t want to write a whole novel before being sure that this is actually a “new” kind of a problem.

    The story goes like this: I have been using WP since 1.2 on a very large website and I’m always erasing things completely before each upgrade according to the manual (apart from and I was not using any sort of an automated installation gizmo (the website in question is hosted with Servage). I check every single folder of the installation every day, my .htaccess is properly CHMOD’ed, yet I ended up with “yayayayayaya” randomly added at the end of my index.php file and, the week before, the gallery on my site, powered by Gallery2 and using the WPG2 plugin, had zillions of spam links inserted into it twice.

    That is why I’m not 100% sure if it’s WP, Gallery2 or both, as the “yayayayayaya” thing happened after the gallery no longer had security issues.

    My other sites, including the one posted with my comments, did not have that problem. And they all run on WP 2.3.3; but they’re hosted on a server with control panel and the more “usual” set-up.

  7. I’ve always kept up to date with mine, i was wondering, how would i tell if my site has hidden links or suchlike?
    I’m pretty sure my install is clean, i upload new trunk / rc most days at the moment.. 😛

  8. Iva – change your passwords, including your admin password even if you never login as that user. That should stop them! I’ll email you further details.

  9. Actually, it is worth waiting for 2.5. Otherwise you’ll need to upgrade in a few weeks anyway. It isn’t worth updating until then.

  10. So if I’m reading the sentence on xmlrpc.php correctly– If I don’t want to accept pingbacks and I don’t use any desktop applications to manage my WP install, can I safely delete xmlrpc.php anyway? (Even though I’m all patched to 2.3.3)

  11. dfb – not if you get hacked in the meantime. You’re better off upgrading immediately, there’s no good reason not to.

    Tim – those are the main uses for it but you can delete that file without damaging the core blogging capability of WordPress. Other things may very well stop working though.

  12. “Christopher – you should upgrade to 2.3.3, you’re almost there and the jump to 2.3.3 is a small one!”

    I have upgraded a few of my sites to 2.3.3 They all use 2.3.x right now. It just takes so long to get all the files uploaded with my slow connection. The upgrade plugin doesn’t work for me *sigh*

    That’s why I’m waiting for 2.5 and the corresponding versions of MU and bbpress.

  13. I’m on version 2.2 which is only a little bit behind. And I don’t think I get enough traffic to worry about spammers, but who knows. What concerns me about this Upgrade Now idea is that I can upgrade my own WordPress install but what about all those other ones that I’ve created? I created the site for them so I still have their login details knocking about somewhere. Should I go ahead and upgrade them on their behalf?

    Is it really that urgent?

  14. Arup – it really is urgent. If your site can be found through a Google search then you’re vulnerable. Any older WP install should be upgraded ASAP.

    It’s becoming obvious that a dedicated group of hackers or script kiddies are targeting older installs. Not upgrading is like not getting the flu jab when you’re in the high risk categories. It doesn’t make sense not to.

    Christopher – you could try moving all your WordPress installs into one folder and using a switch statement in wp-config.php based on the domain name. I have a number of sites running off one install and upgrading them all is dead easy. Must blog about that ..

  15. The thing that always worries me is this: 2.3.3 is a known quantity and has had several security updates. 2.5 has a lot of new code — what if it has vulns in it? (It almost certainly has, just as 2.3.0 did).

    Isn’t No. 1 above the best option — wait a while for the first 2.5.x security update?

    BTW Donncha I’d love to hear how you run several sites off one install!

  16. The thing that always worries me is this: 2.3.3 is a known quantity and has had several security updates. 2.5 has a lot of new code — what if it has vulns in it? (It almost certainly has, just as 2.3.0 did).

    Isn’t No. 1 above the best option — wait a while for the first 2.5.x security update?

    Not really. Security updates that would have been put into 2.3.3 (and called 2.3.4 or whatever) will most likely be put into 2.5 and the vulnerabilities left in 2.3.3. So your choice, risk that nothing major has been left out of 2.3.3 or go to 2.5 and know that it’s as secure as it can be on release date.

    If anything is found post-release, 2.5.x will be released.

    For people with slow connections, why not try the SVN upgrade method?

  17. Donncha, how many sites do you have that use the same set of files?

    I maintain multiple sites on one set of WordPress files (see my experience here) and I find upgrading anything, even a plugin, to be a lot of work because I have to visit every site, disable plugins, upgrade, then visit each site again to enable plugins.

    Do you have a different procedure? How do you upgrade quickly when using the same set of files?

    Thanks,
    David

  18. David – sure. I think there’s 4 or 5 sites using the one install of WP. I just copy the upgraded plugin files into the plugin directory overwriting the old versions. It’s always worked for me so far and upgrades those sites immediately. I don’t bother deactivating and activating the plugins.

  19. For the record, Ray’s argument swayed me and I upgraded (well, I love new stuff, so I was probably going to do it anyway 😉 ).

    WP 2.5 really is lovely!

    Only one thing threw me, and I think this happened to me before — when visiting upgrade.php, I just sat there, refreshing occasionally, expecting something to happen. I didn’t realise the big “Upgrade WordPress” at the bottom was actually a link you had to click! Could do with being styled a bit more “link” like. Or maybe it’s just me.

  20. Just wondering if something can be done about the font size on WordPress (I’m with global teacher which uses wordpress + edublog). The only way to change the font is by selecting the text to a different sized header (so ti comes out in bold). Being able to change the line spacing and font size would be great.

    Also, wonder if there is a glitch with uploading webslides and videos. Had a terrible time trying to do this despite webslides saying “past this code into your wordpress blog”.

    Many thanks
    Marie

  21. Marie – unfortunately that’s a theme dependent problem, although I must say I haven’t had a problem reading any of the WordPress blogs I come across (apart from the classic theme, that looks awful in Linux!)
    I guess you’re probably using the Visual editor? Switch to HTML and pasting in the embed and img code will work.

  22. Hi,

    I’m upgrading right now. Nevertheless, I’m a little scared 😉 Will my theme still work after the upgrade? Will my backups backup everything?

    Regarding the embed problems: I know them very well.
    Even if I embed the code in the code tab – this code corrupts somehow when saving the entry more than one time. This corrupts the site design too.
    I have to delete the code then and embed the original one. If I want to change something, I have to embed the original code everytime I save!
    It’s really annoying. Anybody experienced similar oddities?

    Thanks for this article,

    Christian

  23. It’s weird – I’ve never found ANYTHING as easy to upgrade as WordPress -all I ever do is drag and drop the new version into my web site folder and bang, there she is… upgraded. Granted, there’s been the odd issue with some plugins, but never anything major!

  24. There is never a better time to upgrade? But when will you upgrade wordpress mu to the latest version? Are you guys working on it? There is no news about it whatsoever.

  25. Before upgrading, I do check to see if all my critical plugins have been certified as compatible on the WordPress site, or just visit each of the critical plugins’ websites to see if anyone else is having any problems. Notice I said CRITICAL plugins. If it’s just a “nice to have” plugin then I’ll upgrade and just see if it still works.

  26. One issue I had is that the admin log in page after upgrading seems to have no style sheet attached. Also, my 2.5 version had much less files in the wp-content folder.

  27. This is of course, not on my blog, which is host by wordpress.org but on a test site I run on my computer (im testing before I make the real change on a clients site)

Leave a Reply