SecurityFocus SQL Injection Bogus

Since people are asking, this so-called alert on Security Focus appears to be completely false and has no information that an attacker or the WordPress developers could use. It is completely content-free, except for making claims that every version of WP since 2.0 is vulnerable.

Online, apparently, it’s fine for someone to run into a crowded theatre and yell “fire” and the less basis there is in fact the more people link to them. It’s not uncommon to see crying-wolf reports like the above several times in a week, and a big part of what the WP security team is sifting through things to see what’s valid or not.

A valid security report looks like this, it usually includes sample code and a detailed description of the problem. The WP security team was notified of the KSES problem and it was fixed in 2.5. You can impress your friends by saying whether a security report is valid or not, so it’s a good critical facility to pick up.

All that said, there is a wave of attacks going around targeting old WordPress blogs, particularly those on the 2.1 or 2.2 branch. They’re exploiting problems that have been fixed for a year or more. This typically manifests itself through hidden spam being put on your site, either in the post or in a directory, and people notice when they get dropped from Google. (Google will drop your site if it contains links they consider spammy, you’ll remember this is one of the main reasons I came out against sponsored themes.) Google has some guidelines as well, what to do if your site is hacked. If I were to suggest WordPress-specific ones, I would say:

  1. Upgrade your blog to the latest WP. This shouldn’t be hard. There are plugins for it, if you’re techy use Subversion, there is the standard FTP method, and finally Media Temple, Dreamhost, and Bluehost (through SimpleScripts) all have been pretty good about having their one-click upgrade systems ready with new versions within a day or two of a release. If your host is chronically behind, vote with your wallet and switch.
    • If you need someone to help you upgrade, consider hiring help on the wp-pro mailing list. (It has close to a thousand subscribers and consultants on it.) Or you could always ply a geeky friend with caffeine, libations, food, or gadgets. Just get them to setup a system lik the above so you can do it yourself next time.
  2. Change your passwords, for yourself and any other users you have on the system. If the attacker grabbed your password when you were on an old version, they can still log in after you’ve upgraded if you don’t change it. There’s a new password strength meter in 2.5 helps you pick a good password.
  3. Search through your posts for any that might have been modified, and comb through the directories on your web server looking for anything out of the ordinary. Your host may be able to help you with the latter.

If you’re on the latest version, you’ve changed all your passwords, and something still happens to your blog, don’t panic. It’s not your (or WP’s) fault, but there is likely another account on the server which is malicious and the server you’re on is set up in a way that your neighbors can modify your files. The best thing to do here is to contact your host or sysadmin and have them check things out. They can look at the other accounts and log files in a forensic fashion to identify and find the source.

I follow or am involved with many, many WordPress blogs – some that receive millions of pageviews a day and have pageranks of 8 or 9 and are huge targets all the way to small personal blogs. Those that have followed the two basic tenets — keep up with upgrades and use good passwords — have never had a problem. Those that fall behind upgrades, like Al Gore did, have.

If you’re tech-savvy, take a look through your blogroll and see if anyone is on an old version. If they are, consider contacting them to help out. Like a barn raising, if we all work together it’ll happen a lot faster.

I often hear reasons why people don’t want to upgrade, here’s the most common and my best response:

  • I’m scared something will break, or I don’t know how. Ask a friend to help or hire a professional on the aforementioned wp-pro list. Long-term, try to use a plugin like WPAU or a host that will do upgrades.
  • One of my plugins doesn’t work with the new version. This is getting rarer as we have a very public testing cycle for plugin authors to try their stuff with the latest version, but still common. I would suggest checking for an upgrade to the plugin on the author’s site, contacting the author about the incompatibility you found, maybe even donate some money, or finally search for an alternative plugin that provides similar functionality but works with the latest and greatest version of WordPress. In the big picture, though, having a secure site is much more important than the functionality of a single plugin, so you should seriously consider turning off a plugin for a few days instead of putting off core upgrades.
  • I don’t like the new version, they moved my cheese. We believe every new release is better, but sometimes people just aren’t comfortable with a change, which is fine. The good news is that we constantly improve things based on feedback, including interfaces, and that more importantly for almost everything you can imagine annoying you there is a plugin that changes it. For example in 2.5 the page is fixed-width to allow for greater readability, but there’s a plugin to make it stretch to the full width of the window.
  • I modified core files, so upgrades are hard. You should never ever modify core files in WP. If you find you have to, file a ticket for a new hook or filter so your modifications can be a plugin — it makes things so much easier.
  • Upgrades are too frequent. If it takes you more than 5 minutes to upgrade your blog, you’re doing it wrong. Historically we do a major release about 3 times a year, and a minor release about once a month. Minor releases almost never break anything, so they are the easiest. (And often the most important.) WordPress is fast-evolving software, so this is a good problem to have.
  • I don’t know when there’s an upgrade. No excuses here. Since 2.3 we include a big honking notice at the top of your dashboard when there’s a new release available. It’s also worth subscribing to our dev blog, it’s not like it’s going to flood your RSS reader.

Of course the millions of blogs on WordPress.com never worry about any of this, nor do the folks on good hosts that have one-click upgrades. The WP community takes security very seriously and has always done its best to respond diligently to any known problems, but all that work is for naught if you don’t upgrade. Hosting an application yourself is a responsibility. In the future we’re hoping to make this whole thing easier, for example with built-in functionality like WPAU. Until that day though, I hope the above helps. Feel free to copy, republish, or steal this post in whole or part for whatever you like.

116 thoughts on “SecurityFocus SQL Injection Bogus

  1. This is great advice, but the best thing you can do for this problem is to seize on this plugin you alluded to, ensure it is 100% reliable and make it part of the standard install.

    You say that “if it takes more than 5 minutes” to update, that users are doing it wrong. To be honest my updates are pretty fast because I have seized on a geeky subversion technique for doing it, but most users are not so technical. And I STILL find it a mental burden to update when the new releases come out.

    Imagine how the reputation for WordPress would increase if its update process was as easy as Apple’s Software Updates? I would encourage you to make automatic software update a priority as soon as you can. Then you wouldn’t need such a long list of responses for peoples’ excuses for not updating 🙂

    Daniel

  2. Daniel, I totally agree. I didn’t mean to say users are wrong, just that there are some things out there that make it as easy as clicking a button. Core update, like Apple’s or Firefox’s, is a top priority for 2.6 but it’s a tough problem to tackle in heterogeneous hosting environments.

    As more and more people use WP as a platform it’s one of our biggest responsibilities to our users and developers.

  3. It’s also helpful when your hosting provider offers an easy upgrade path. I use DreamHost, for instance, which offers a so-easy 1-click install/upgrade.

    And those guys are really on the ball: with 2.5, they had the upgrade option within two hours of the release being announced.

    You’d still do some prudent prep, eg, backup your database, disable plugins, etc, just as the Codex guide tells you.

    But if you have a host who understands blogs and specifically WordPress, then your life is easy. Well, easier anyway.

  4. Thanks for the clarification. Another point I’ve seen discussion over is whether WordPress 2.3.3 (i.e. the latest version in the 2.3 branch) has any outstanding security issues.

    Matt, are you aware of any vulnerabilities in 2.3.3? This would be useful for those deciding when to upgrade to the 2.5 branch.

  5. Matt, great post. As someone who didn’t keep up-to-date and got one of my sites hacked, I’ll second Daniel Jalkut’s suggestion of building the existing WordPress Automatic Update plugin directly into the WP base. I think it would go far to helping people stay up-to-date. I’ve installed the plugin on the site that got hacked and will be using it… but it’s one of those features that just seems like it should be in the core.

    My 2 cents,
    Dan

  6. Excellent advice. One thing though. Upgrading by FTP typically takes more than 5 minutes for most folks on shared hosting and low end DSL (and that’s a lot of folks). It’s the wait time that gets you. Wait for deleting, wait for upload to finish etc. It’s downright simple once you do it the first time but you still have wait time that takes longer than 5 minutes. I usually unload the dishwasher or work on a post (local blog editor) while I’m waiting for “wp-admin” or “wp-includes” to finish uploading.

    Just so folks don’t think they’re doing it wrong. 😉

  7. Good post, Matt. Unfortunately, the people who may need to read it the most may not get the full benefit of your advice. How can people easily find advice such as this, if they didn’t already know where to find it (like myself and others commenting)?

    I do agree with your assessment about taking more than 5 minutes to upgrade. WordPress is technical enough that you should be asking for someone to help if you can’t adequately handle the upgrade in that amount of time.

  8. One problem with your screed, Matt – and I think it’s a bit misleading and could lead to someone blowing up their WP installation.

    I use bluehost, and indeed, SimpleScripts can do a one-click upgrade – IF (big if) the user originally set up the blog through SimpleScript. Otherwise, SimpleScripts attempts a complete install. If the blog was originally setup using Fantasico (as was mine), the upgrade process was a pain in the butt. Bluehost’s Fantastico panel only had 2.3.3 available as of early last week. And when I did the 2.3.3 upgrade via Fantastico, it blew up big time – BIG time. Only prior backups of my 2.1 install saved me.

    After restoring the database and recovering my 2.1 installation from backup, I downloaded the WPAU plugin, and things went seamlessly (though a bit longer than 5 minutes). Only one plugin broke, and as you noted, not a big deal.

    But the bottom line is that my experience (and this is coming from a bit of a geek) is that this kind of thing is why people are so damn reluctant to violate the principle of, “if it works fine, leave it alone!”. It shouldn’t have taken the Technorati notice to get me to upgrade, but yet the fear of screwing up months (or years) worth of work can instill sheer procrastination even in a geek like me!

  9. I really don’t see anything in wp-comments-post.php that isn’t trimmed or best practices not followed, let alone any real proofs of concepts.

    I doubt if “Multiple SQL injections” passed under the nose of several PHP developers.

  10. Thanks for the strong response, Matt.
    I also occasionally wish that there was a strong upgrade process within the tool, although the notion that an exploit could leverage that very upgrade process makes me glad that WP forces us into a separate toolchain.

    One of the first things I did on reading this alert was look in the code. I’m not an expert PHP developer, but this code swatch (from 2.5) does give me pause:

    /**
    * Escapes content for insertion into the database, for security
    *
    * @param string $string
    * @return string query safe string
    */
    function escape($string) {
    return addslashes( $string );
    // Disable rest for now, causing problems
    /*
    if( !$this->dbh || version_compare( phpversion(), ‘4.3.0’ ) == ‘-1’ )
    return mysql_escape_string( $string );
    else
    return mysql_real_escape_string( $string, $this->dbh );
    */
    }

    We see that the strong mysql_escape_string and mysql_real_escape_string API’s have been commented out in favor of the weak addslashes because of unspecified “problems” by a developer who didn’t leave a name behind in the code.
    Naturally, mysql_real_escape_string is preferred, because addslashes doesn’t catch multibyte character attacks (as we see in http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string)
    So the initial announcement for me – although it didn’t come with exploit code – was backed up by what I saw in the WordPress code base.

    So I think that there is legitimate cause for concern.

  11. Agreed, only do the upgrade through the control panel if you also did the install through there. Otherwise, the WPAU plugin is perfect.

    Skott, that has been discussed on wp-hackers a few times, if you like to bring it up there they can talk you through it. Short answer, as I understand it – it’s only an issue if you have your encoding set to GBK or similar in your wp-config.php file, and people who distribute WP in locales where it would be an issue use the documented workaround.

  12. We are all concerned about security but the comment about plugin compatibility “having a secure site is much more important than the functionality of a single plugin” is not true for all. Some WP sites are built around and 100% completely rely on compatibility with certain plugins. In fact some plugins are the reasons WP is being used in the first place. We have one such plugin. In addition to that plugin we have 19 other plugins in production. It will take a lot more than 5 minutes to check with each plugin author to determine compatibility, make sure latest is ready to go, etc. Oh and when new releases of plugins come out they can break others. Each needs to be implemented and tested one at a time. Oh, and before an upgrade begins one also needs to ensure a themes compatibility too. I’m no theme designer but have started with a free theme and tweaked it to meet the needs of the site. I cant go back to the original developer to check for a new version. I need to test myself in the new version.

    I got lucky going to 2.3.3 all was well. I’m a little more reluctant to go to 2.5 until I can get a dev environment running and perform the upgrade there first. Its just too big a risk doing an upgrade in production.

    Any automatic or one click upgrade process MUST have a roll-back provision. Please make that a priority. If it needs to be a feature request please point me to a place to make it or consider it asked here. Also, as for built in upgrades it should do a compatibility check with plugins and provide a mechanism for plugin upgrades and easy identification of compatible versions.

    Thanks for reading
    The Handyguys
    http://www.handyguyspodcast.com

  13. Handyguys, that’s why we made it such a priority (and delayed the release) to have one-click plugin upgrades in 2.5. Assuming the plugin author uses the repository, you should always know if there’s a new version available.

  14. underscore, that thread looks like a good example of two things I mention in the post: insecure permissions on your host and previously compromised passwords being used with new versions. I don’t see anything that indicates a problem in our posting system though.

  15. Why don’t you provide a patch file for those who have heavily modified boards?

    I now create my own and therefore an upgrade takes about 10 minutes, including the time it takes to create the patch. If would be great if you would provide an official patch file.

    Personally i find the standard WordPress way of delete-everything-and-upload quite horrific.

  16. Roland, because as I mention in the post you shouldn’t ever modify any core files. There are hooks for pretty much everything in WordPress, and if there’s one missing than file a patch and it’ll be in the next version. Also, people savvy enough to make patch files are usually savvy enough to use SVN, which is my favorite method.

  17. I second the option for a more seamless upgrade path. Just last week I wasn’t selecting my files properly and almost overwrote the /wp-content/ folder in the upgrade to 2.5.

    An upgrade that is that dangerous – i.e. having to carefully select and deselect files from a known list in the middle of a multi-page poorly formatted web-based instruction manual – is not a “user friendly” upgrade at all. Neither is having backup my SQL database, files, uploads, etc. every three weeks because a new version comes out and I’m afraid I’m going to accidentally overwrite something or break something in my upgrade.

  18. THANKS a load. WPAU just allowed me to get over my not staying current guilt factor. Next time adbrite cuts a check Techiebuzz is getting a donation for a great piece of work.

  19. The only hesitation I had in upgrading was that it DID take more than 5 minutes… but that’s because of my net connection… grrs. Too forever to upload the new files this time around. 🙁

  20. Things that are, or seem to be, broken, that one can see in the FAQs or other forum discussions, are also offputting. right now I’m thinking particularly of image uploading. I upgraded my site, and now cannot upload images at all, and I’m still waiting for a fix before I upload another site.

    This sounds whiny. It isn’t meant to be. But something as fundamental to so many blogs as uploads is important and two weeks on I’ve not seen a fix yet.

  21. Jeremy, the new flash uploader is a lot more complex than previous things we attempted. Maybe try the plugin that disables it? We usually don’t do a x.x.1 release until at least a month after the release, but there have already been dozens of changes and improvements to the codebase to fix things that weren’t caught by our beta testers.

  22. Good, summary, advice.

    As someone who maintains / upgrades many WordPress sites, the one other suggestion I’d make is offering a reliable “undo” feature on updates. I realize that virtually no software updates come with an undo / revert feature, but it seems possible with WP, and could makes updates less scary.

    Because I am working with highly customized themes that depend on particular plugins, I always test the WP updates on a development site before deploying to live sites. It’s only once that this proved necessary, but it helps me feel confident that I am not about to break a live site.

    Essentially, it’d be nice if, before the update, WordPress would itself backup the current version (copy or rename files, copy or backup database tables). Then, a “restore previous version” option could be used to revert.

  23. Daniel raised an excellent point on automatic upgrades. As the popularity of WordPress spreads further into mainstream web users, (as if it hasn’t already), ease of use is critical. Automatic updates would take WP to the next level, imho.

    This was a great post with alot of relevant links. Thanks for the info Matt!

  24. I run a silly number of WP sites, having migrated pretty much everything over to WordPress in the last year or so. It is both a blessing and a bit if a curse when a new version comes along. A blessing because they are almost without fail an improvement (this latest one is great for multi-author blogs BTW as it is so much easier for non-techies to operate), but a curse as it gives me a couple of days of headaches as my plugins (usually cobbled together by me!) can and do break (multiplied by several sites this is a bit of a chore).

    All that said, updating is very easy and quick, and anyone running sites on their own domain should at least have the rudimentary skills required to do so. I now advocate using only the well updated plugins (they are usually the best in any case!).

  25. While I have updated my personal site to 2.5, I usually wait for a “point-release” after a piece of software receives a major overhaul. The notion there is that large blocks new code has had less eyes on it than older parts of the core, and minor snafus are likely.

    The wide-release usually prompts a flood of bug reports and fixes which in turn becomes the point release. Am I way far off base with this notion?

  26. Stephen, that’s pretty standard, but usually it’s the edge-case bugs or things in weird hosting setups. WP releases get a ton of testing, for example 2.5 had over 50,000 downloads before it was released, so most bugs are squashed far before it ever hits the public.

  27. Thanks Matt.

    The upgrades have been a piece of cake. In fact, if WordPress gets much easier, it’s going to start being surreal.

    Good advice, though, about knowing a BS security alert when you see it.

  28. I have total confidence in WordPress security. The strenght of WordPress is its community. With so many contributors, very few errors escape.

    Thank you for the clarification anyway 🙂

  29. You should never ever modify core files in WP.

    Isn’t this a direct contradiction of the GPL?

    The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program–to make sure it remains free software for all its users.

  30. Morydd, I don’t mean from a legal point of view, I mean from an ease-of-upgrade point of view. WordPress is designed to allow you to make changes through plugins that hopefully work from version to version without requiring major modification.

  31. As someone who is in charge of researching and implementing new technology, I certainly can feel the statement: “We believe every new release is better, but sometimes people just aren’t comfortable with a change, which is fine.” A lot of people, especially ones who aren’t tech savvy, think change is bad or that things have broken so they resist. It can be a very frustrating double standard.

    Also, your comment on web-hosts and their one-click upgrade. Media Temple does in fact offer “One-Click Applications” but they do state before you click that the WordPress “One-Click Install” is not a an upgrade and will overwrite your database (says this in a HUGE red box):

    “Warning
    DO NOT(!) use the one-click installer to upgrade any previously installed One-Click application. It will erase your files and data. To upgrade an individual application, select from one of the links below and follow the instructions”

    They direct you to the upgrade instructions on: WordPress.org

  32. Evan, I’m pretty sure Media Temple has an upgrader too, it’s just in a different part of the interface. Maybe a MT user could confirm?

  33. Hi, Matt

    There is an old English saying “don’t fix what is not broken…”, to me it seems that WP developers forgot that one with the recent WP version. There are so many things that really should be fixed, but let’s leave those good things intact.

    My feeling is that WP team wants to drag us into some kind of car race against other blogging platforms. Do we really need it?

    In my opinion UBUNTU team would be a great example for WP developers, perhaps WP also could have versions (WP branches) that would be supported for let’s say 3 years…

    In that case those who want to stay with older version would be happy and also those who want to have latest and greatest would be happy too.

    People are complaining about plugin (in)compatibility. I’m not talking about 20-40 various plugins that some of them are using, but about essential ones like FeedBurner plugin. How someone can blame us for not upgrading.

    Thanks.

  34. Upgrade hesitation is legitimized when an upgrade removes functionality.

    You say that there’s a plugin for everything… but often it takes a while for those plugins to be created after a new release.

    Of course then you end up upgrading to 2.5 and installing 20 plugins to restore some of the basic functionality like category ID visibility… only to find that 4 months later none of these plugins you’ve suggested work in the next version.

    If you really believe that security is a big deal, then it’s probably a good idea to act like it. Save major interface/functionality changes for major version numbers, and maintain the previous branch with security updates for at least 6 months.

    That’ll show us you’re serious about keeping us safe, while we make time to adjust. WordPress is your full-time job, it shouldn’t need to be ours too.

  35. I’ve got a customer running the latest version of WP along with the latest versions of his few plugins. He’s changed his database password and his WP admin psws and still, every day, someone posts link spam INSIDE existing posts – not as comments. Something is really odd about that. He’s not the only one reporting that behavior either.

  36. Milorad, you may be unfamiliar with the WP release process, but major releases are in the X.X range, and minor releases are X.X.X. So 2.2 to 2.3 is a major release with functionality changes, 2.3.1 to 2.3.2 is just fixes. 3.0 will just be the next version after 2.9.

    We’re fighting version number inflation.

    Tobe, sounds like there might be another malicious account on the server. I’d recommend talking to a sysadmin about it.

  37. That’s all well and good, but a good software developer supports old versions past the release of new versions. In other words, y’all really ought to be putting out security fixes for 2.3 for a while after 2.5 rolls out. There are a number of reasons why people don’t upgrade right away (as you’ve noted) and the reality is that a number of “solutions” that you’ve listed above don’t actually solve things.

    For example: In order to get atom feeds working correctly, I’ve had to hack at least once core file. I don’t file tickets, because WordPress frequently doesn’t bother to fix things, pushing off fixes (like going to Atom 1.0) for three or four releases past when the tickets are filed. Or that horrible email bug introduced in a 2.3.* release. Sure it makes sense from your standpoint to drop some things because the WordPress community’s priorities don’t match with mine. But don’t argue that I am somehow remiss because I have to touch core files.

    It’s also disingenuous to tell people to use plugins to solve one reason for not upgrading, yet tell them to not use plugins for another.

    And remember, the big reason to upgrade quickly is because of security bugs that WordPress introduces but doesn’t fix in older versions, not because people are doing things wrong. When I was managing a software development team professionally, I had to remind them often that it might be easier to only support something in one version, but that puts the onus on the customers to do all sorts of things right. Making it so critical things only had to rely on our team was better than making sure that thousands of customers did things right.

  38. King Rat, we support one new branch and one legacy branch, in line with the Debian model. I don’t know about any Atom bugs in 2.5, if you link me to the ticket I’ll make sure it’s fixed in 2.5.1. I didn’t mean to suggest people not use plugins, just that they keep them up to date and reward responsive developers.

  39. My blog got hacked into twice. I’m one of the ones who has a modified blog, so you can be assured I’ll be changing that part.
    I accidentally did not check the “Run PHP” box when doing a contact table, and that’s where I think my blog was compromised. The second time it got hacked, the link referred to a “blix-rand theme.”
    Hope this helps hunting down the bad guys!

  40. Thanks Matt. I did try the no-flash-uploader, and every other suggestion on the FAQ over at WP Support, all to no avail.

    I’ll just wait for 2.5.1 and hope that does the trick, and do without images for the meantime.

    Uploading images direct by FTP requires yet another plugin to get the info into the WP database so that I can actually use it, and that plugin does not appear to have been updated for a good long while.

  41. Ha Ha, as you know, I discovered my blog got hacked right after you were sitting next to me.

    I set up a 70 year old woman with her own wp blog today on one of my sites.

    She didn’t have to upgrade, just started on 2.5!

    She has already done 3 postings and is having a ball!

    It is my favorite software, and the price? Forgetaboutit!

    By the way Matt, I have a need to possibly do 1000 fresh installs for 1000 people, on a 1000 domains. Do you have any advice on the most efficient way to do it?

    Much Love,
    dk

  42. I agree with the idea of maintaining at least 2 branches at once, and it should be the current and the previous (in this case 2.3 and 2.5)
    I imagine there are many in my shoes. I am currently running 2.3 and do not want to upgrade to 2.5 until bug fixes/security patches come out. I am also not entirely thrilled with 2.5 (I have it on a test blog) and am reluctant to upgrade. At the same time I am worried about 2.3 security and my website having vulnerabilities. There are a lot of reports of bugs in 2.5 and I am fully confident the WP team will fix these but until then I don\’t want to be forced to upgrade.

    Thank you for all you guys do to give me a platform to ramble my thoughts on.

  43. Matt, I am a MT user, there is nothing in the interface that allows you to upgrade your install of any of their One Click applications. They maintain that if you try to use the One Click installer to upgrade, it will over-write your existing database. They then link you to the WordPress.org site for the download and install instructions to upgrade.

    From the MT knowledge-base: http://kb.mediatemple.net/article.php?id=598

    “The current version of the one-click installer does not provide automatic application update capabilities. We are looking into the feasibility of adding this feature, however no timeline has been set for including this functionality. Even if you use the one-click installer we strongly encourage you to become familiar enough with the software you install to perform your own routine maintenance and updates as needed.”

  44. My upgrade from 2.3.3 to 2.5 went horribly wrong. I followed the instructions for FTP upgrading, and when the upgrade was complete…the site blew up and became more and more corrupt as time went on. I cannot even login to the admin area anymore. The kicker is, my backup tar had 2 trojan viruses and some phishing virus of some sort!!

    The end result was I did a clean install in my root via Fantastico and I am having to rebuild the whole site from scratch. VERY inconvienient. An automatic upgrade would be wonderful.

  45. I love WordPress. That said, I am one of those who feel that upgrades are too frequent.

    Your post makes a lot of sense, particularly from the perspective of the reasonably technical person who runs one WordPress blog.

    But the reality is that there are many of us out here who a) run myriad WordPress blogs for ourselves and b) maintain another myriad of blogs for clients.

    This turns a ‘five minute job’ into:

    5 minute job multiplied by x number of blogs + at least one inevitably messy upgrade = unknown quantity of time.

    Over the last year or so, I have felt like every time I turn around there is an upgrade to be done, which is a significant drain on my time, energy and mental focus and which can involve various tasks around contacting clients and managing their upgrade experience.

    As a result, I strongly feel like a more measured approach to upgrades should taken.

    WordPress need to appreciate that if they are going to take the line that it is my responsibility to keep my software up to date, then the upgrades need to be released when crucial only.

    Again, this is my 2c on an issue which has been bothering me of late, but only bothering me because I love WordPress so much… after all, otherwise I’d have moved to another platform long ago 🙂

  46. A new blog was started on 2.3 from the start, upgraded to 2.5 when it came available. BIGGEST disadvantage: it pushes the MySQL engine to it’s limits – and over – quite often; more than 2.2.3 does. No big deal since it well be restarted within 15 minutes, but nevertheless VERY annoying.

    So I kept my older blogs on 2.2.3. They seem more reliable.

    (This has NOTHING to do with my non-standard Operating system in itself. The machine is a bit too small to handle all the load)

  47. Many of us heavily modify our WordPress installations, or rely on plugins that may no longer be supported for newer versions. Sure, WordPress right out of the box is fairly easy to upgrade, but not if you have a lot of modifications and plugins. (And after all, isn’t customization one of the things we all love about WordPress?)

    The difficulty is the WP rolls out a new version quite frequently, and feature upgrades are bundled with security updates.

    I really wish there could just be security patches that we could install, instead of constantly having to upgrade the whole thing. For one thing, when there’s radical changes to the admin interface (like in 2.5), not all of us prefer the change — and more importantly, it can be confusing (and costly) to our clients. For another, it may break modifications and plugins.

    I really think it’s in the interest to the WP community to separate security updates from feature upgrades. A lot of people don’t bother upgrading because everything is working fine and “if it’s not broke, why fix it?” But they don’t realize that they are leaving themselves vulnerable to exploits. As a result, WordPress gains a reputation of being insecure…

    Anyway, love WordPress and appreciate all the hard work you guys do, but I really think this is an issue that is likely to become more and more important as WordPress gains popularity…

  48. Matt,

    As a developer, I know it can “sting” whenever someone finds a bug or a vulnerability in my code. In the case of this vulnerability, I hope you’re not dismissing it just because of that.

  49. I agree, there’s no code you can use. The report does note that the vulnerability is through “wp-comments-post.php.” That’s a start.

    I emailed SecurityFocus asking them if they have any exploit or proof of concept for that report.

  50. just read it today. Thanks for the information Matt!

    Upgrading to WP 2.5 is easy, you just need to follow the instructions correctly.

    Great job WP Team and to Matt!

  51. Have to agree with Tyler. The problem is not the fast development. The problem is not that there are changes.

    The problem is that almost every update is also a security update. So 1) you must upgrade 2) and do it soon. You have no choice. You can’t wait a few weeks or months to wait for plugins to be updated as well. You don’t have the time to “prepare” your clients about the changes that happened to their system. You can’t plan in the update time. Even if upgrading takes 15 mins (remember, backing up etc also takes time), if you have to do 15 sites that’s half a day’s work. If everything goes perfect. I’m almost afraid of going on vacation for a few weeks because in the meantime a security update might come and then I’m not able to upgrade fast enough.

    I can totally understand why this is happening. For (open-source) developers the fun is in developing cool new features. Spending time auditing the whole code-base for security issues is not.

    But remember, for most people using wordpress it’s about running their blogs/sites, managing and publishing content. Not about “playing” with new features and upgrading their site each month.

    So what should be the solution?
    – separate security updates
    – do a massive audit, fix all security issues, make sure they are prevented in the future, before spending more time on new features. I understand this is hard to do for a massive and mostly procedural piece of code like wordpress is, but still I think it pays in the end.

    Having said all this, I still think WP is a great piece of software. It’s just those security and upgrade issues that are draining energy.

  52. Matthijs, the code-base is regularly audited for problems, and we do regular security updates that change no features. We also have maintained a branch of nothing but security updates for several years. The problems are (1) sometimes new features make WP more secure overall, like the new cookie and password system, but that can’t go into the 2.0 branch because it’s too complex and far-reaching (2) we can’t maintain more than 2 versions of concurrent development at once and (3) if there was a magic way to sit down or spend time/money and have 0 security bugs, every company in the world would do it. We have security updates, OS X does, Firefox does, everyone does. It’s better to assume there will be updates and optimize for that case, rather than assume we’ll be the first perfect piece of code in the consumer web space.

  53. “Milorad, you may be unfamiliar with the WP release process”

    Well, firstly I want to thank you for responding to the most substantive parts of my post, by completely ignoring them. That was quite informative indeed.

    I do want to respond to this by saying that whilst I’m painfully familiar with the release process to-date, I’m not particularly a big fan of it.

    I know I should suck it up, but there just seem to be so many people kissing your ass that I think maybe just maybe, it might do some good to hear an opposing point of view every now and then.

    I love wordpress, and I thank you guys for it… but that doesn’t make it (or you) perfect.

    Here’s the way it usually works with 3-part version numbers, perhaps you’re unfamiliar with how everyone else does it.

    The major version number is for large-scale restructure only. This is where you dump deprecated code and perform major restructures which affect 3rd party addons, and which cause significant workflow changes.

    The intermediate version number is for adding features and enhancements without removing any… or for modifying the way certain parts of your code work, but without making dramatic changes to your third-party interface.

    The minor version number is strictly for maintenance releases.. security/bug patches etc, exactly what you’ve been using them for.

    Doesn’t that make things really clear and simple for us to follow? I think so.

    I understand being frugal with version numbers, but the way to do that is to make wholesale destruction of code a rather rare event on your development timeline.

    You can add as much as you want in an intermediate version number — we only complain when you take stuff out or replace it with something that works in an entirely different way.

    … why do I complain? only because you do your best to foster people’s thinking outside the box. You encourage us to extend our wordpress into more than a blog. We like that about you, it’s cool.

    … but when we do that using some really cool third-party addons, and spend all this time hacking away at the perfect theme, it kind of feels like you kick us in the teeth by then claiming the correct approach is to upgrade anyway, and plugins and CMS-themes be damned.

    We’re out there proving to the world what a great product you guys have built… only now, to keep up with wholesale restructures, we have to spend more time on functionality that could be better spent on content.

  54. We do the same thing, just pretend everything was one decimal point over. We don’t do large-scale restructures, which is why 95% of plugins work from release to release. Our release schedule is widely known (3 major releases a year) and we publish the major release targets months beforehand and they are in active public testing starting at least a month before the release date. The entire development process happens on public mailing lists, bug trackers, and every single change to the code is sent out to mailing list of hundreds of people.

  55. Matt, thanks for taking the time to respond to my comment. I do understand that no software is without bugs or security issues. I don’t expect WordPress to be perfect either. But I also do hope you understand my issues.

    If month after month I have to upgrade all my sites because of some urgent security issue and at the same time a lot of new functionality is added (taking a lot of time to develop), it just gives me a feeling the priorities are not on security but elsewhere.

    Maybe that assumption is completely wrong, who knows, I don’t know what’s going on in the headquarters of WP, but it does feel that way. I really don’t want to be overly critical for something that is provided for free. But I do hope that my concerns are heard. Just take it as feedback.

  56. Hi Matt – I think your advice is spot in – its what I advise my coaching clients and people that I work with. I evangelise WordPress and once I’ve done an upgrade for or with a client, they go on a mailing list and if they still need help (cause some people just don’t *do* tech, and that’s ok. I don’t *do* accounting – thier blogs need fixed – and I’m rubbish at keeping track of accounts) I help them.
    And that goes for anyone else that needs a hand with it. I’m currently ‘barn raising’ as Matt put it and offering anyone free upgrades in return for a simple thank you from thier blog.
    Matt’s right though – find a professional that you work well with – and set up a way of always making sure your WP blog is up to date.
    I’d rather have WP fix security issues when they come up than ‘hold’ them until the next milestone, and I’m really enjoying helping, where I can, on the mailing list.

    Kai

  57. One of the blogs I was maintaining was the 2.0 version and was seriously out of date. One of the reasons I think people were crying wolf and saying that the 2.0+ versions were vulnerable was for this reason:

    I believe that they were vulnerable and then updated their blogs. Only after updating did they notice the injected material.

    Unfortunately I was effected by the injection vulnerability because of my laziness to update.

    I have learned a valuable lesson. Even if it hard to update you need to do it anyways.

  58. I’m not the most tech savvy person online, but updates take me about five minutes give or take. I try to read up before I do any kind of install just to be sure I’m up to speed, on anything I should be aware of, keep a readme.txt open, or make a few notes if it’s going to be anything complicated.

    I’m enjoying WP 2.5, still no problems with anything.

  59. Matthijs:

    There are new releases with security updates because the WordPress team considers security to be a priority. I don’t think that they hold back security releases because they’re busy adding new features.

    On the other hand, as I’ve stated on my own site, I agree with King Rat that there should be security updates maintained on the previous point-release for some time after a new feature-release comes out. It doesn’t have to be maintained forever, just for a few months.

  60. I think upgrading wordpress is as easy as we can imagine. I have instructed people who cannot even install a plugin and they have been able to do it. A plugin on wordpress.org named WP Automatic Upgrade has worked on 26 different blogs on 19 diffrent accounts which i have helped friends upgrade free of charge.

    If you find someone who still can’t upgrade and you don’t have enough time to help, please send him/her to me.

  61. Matt I saw your video from the Word whatever thing in Texas. Blogger convention basically. You are a likeable enough chap and well intentioned I’d say so don’t read this as an attack.

    I’ve gotta say, it’s almost as if WordPress is in a competition with phpBB for frequency and sheer number of vulns. We’ve got this sql injection issue and then we learn the salted passwords work great, but users aren’t being educated enough to change the random phrase. http://seclists.org/bugtraq/2008/Apr/0164.html

    I like the functionality of WordPress and I like the features but can’t recommend it to non-techies who want a hands off blogging feature. The problem is the non-techies have their techie friend install it and then never look at it again.

    What I’d like to see is a WordPress.com along the lines of Typepad, where we get a packaged deal that’s not crippled like WordPress.com is. You guys could have the fun of patching and keeping a decent number of plugins available and we’d happliy pay money and blog.

    WordPress will have a black eye soon because of all the comment spam and splogs that are built with it. Much like including the WP logo on prior versions made people associate database connection issues with WordPress regardless of what the problem is. I see that went away in 2.5.

    People used to complain about splogs on Blogger, there are still some, but most of them that I run across these days are on WP. Hell, someone sells a tool to make them.

    This is a prediction from Matt Cutts in his blog for 2008
    “2008 will be the year that hacking and search engine optimization (SEO) collide in a major way. By the end of the year, a nontrivial fraction of blackhat SEO will involve illegally hacking sites for links or landing pages. One webhost will get a significant black eye as hundreds or thousands of customers’ websites are hacked.”

    I think this will turn out true, though it might be one product rather than one web host, or maybe the product that gives them the door is WordPress.

    Food for thought. I’m still running 2.5 for a couple of my blogs.

    Sleeping with one eye open,

    Ryan

  62. This is very cool and very helpful to WP bloggers. I have doing my best to follow the version upgrade. Also, I think the plugin – WP security scan is a good security enhancement to WP, no matter how perfect it does, but this approach. Thanks.

  63. I believe the best thing that could be done is to make an automatic upgrade function in the core. Just like the plugin page does now…there is a new version available, click to update automatically…why not have that functionality built into the “There is a new version of WordPress available…” link. Click the link and “blam” you are upgraded!

  64. Some good points raised matt, thanks.

    I have to admit, it’s pretty hard to maintain a number of WordPress websites simultaneously and keep them up to date. It’s apparent that you guys are aware of this, but the obvious point is that it will take an upgrade to the version where this feature becomes available before one click upgrades will take place 🙂

  65. Matt, regarding SQL scalability etc, one service Automattic could offer on WordPress.com is a $100 – $200 per month paid service which is equivalent to a single dedicated server – then it good go up in price as usage increases.

    Lots of folks who are basically publishers have a suck time when they need to move to a dedicated server once their WordPress blog gets to big.

    I’d buy this service even if there was zero support. All I’d need would be the ability to load my own theme – maybe via svn, and also be in the wordpress.com network so people could easily make comments etc.

    It would also be cool if you also offered hosted Mu. People always have the same problem once there blog gets too big. They’re smart enough to install it for a small user base but once you need multiple database servers etc it just becomes too much for your average punter.

  66. > You can impress your friends by saying whether a security report is valid or not, so it’s a good critical facility to pick up.

    Fail.

    Don’t knock the bug report on securityfocus, you should be happy some kiddie was kind enough to leak a good bug in WordPress 2.5. If you took a few minutes to poke around in wp-comments-post.php then you might have found what RoMaNcYxHaCkEr did. Either way, upgrade to WP 2.6 now.

  67. A corporate blog that I ‘manage’ – running 2.5.1 had it’s entire table dropped last night. Looks like it was via wp-comments-post.php

    I spent the day rebuilding.. you know what it’s like, you only find out how crap your backup is when you need to use it. Lessons have been learned.

  68. Pingback: Psybertron Asks

SHARE YOUR THOUGHTS