The Register is reporting that Al Gore’s climate change site hacked. I looked at his WordPress blog and it’s running version 2.0.4, which was released in July of 2006, about 16 months ago. I wonder if these people want to upgrade but just need help, and if there’s something as a community we could do to assist them? Like install4free but for upgrades. What’s unfortunate is that people see this as an indicator of WP security, they’re judging us by bugs that have been fixed for more than a year.
People see it as an indicator of WP security because only WP forces people to upgrade for security reasons *so often*.
You’ll always have stragglers unless upgrades are automatic and driven from within the software itself. Firefox does this well – it lets you know there’s an upgrade (I don’t need to subscribe to anything anywhere – it tells me), offers to download in background, and automatically upgrades on next launch of Firefox.
I know it’s hard to have the same seemless user experience for a blog on a server, but if you want to approximate Firefox’s upgrade rates (which I assume are high), you need to approximate the automation in the experience.
Also: ISPs like dreamhost have one click installs for WordPress, but don’t recommend one click upgrades. Last I checked they recommend you delete the old install first.
I don’t think this reflects badly on WordPress at all. A responsible site manager gets the needed upgrades. Doesn’t matter anyway…when the earth burts into a raging ball of fire, security flaws will be the least of our worries!
I guess Al’s trying to recycle old WordPresses. The man is just green, top to bottom.
It could also have been a very easily guessed password…
Well, when a new wordpress version is released, i upgrade all the blogs of my friends. I think is a good idea make something like upgrade4free, if anyone will do it, i can help 🙂
The newest blog post is from September of 2006. Looks a bit neglected. But it would be cool if someone tried contacting them and offering help, perhaps someone a bit more expert than me.
I’ve been thinking about bringing the automated update/upgrade subject for wp/plugins/themes to wp-hackers for a while now. Call it the next *logical* step after the update notification. Unfortunately, everytime I think I have something worthy of mentioning, I find a security issue with my approach…
The notices of updates in the Dashboard are a good start, but there needs to be a way for each install to be automatically upgraded with just a click instead of the current arduous process of downloading the latest version and uploading it manually making sure not to overwrite the wp-content folder.
I know its a very large technical hurdle, but it would be very interesting to see the solution.
The only way you are going to resolve this is by offering an easy way to upgrade WordPress directly from the admin console. Little alerts saying an upgrade is available is not enough. There has to be a simple GUI that automates the process.
One of the reasons Firefox is successful is because the auto-update feature works so well. It is very rare that you stumble across an out-of-date copy of Firefox these days and usually that is because it hasn’t been used in awhile.
That is one of the biggest stumbling blocks for people who want the flexibility of running their own WordPress installation, having no easy way to upgrade.
That’s a shame. Unfortunately it’s always going to be a problem.
People aren’t aware of the importance of keeping things like Word Press updated, especially if you get someone to do a once off design and then aren’t retaining them to maintain the site.
It’s always going to fall by the wayside.
Perhaps with the new notification that is now present in Word Press, having a glaringly obvious note saying “Please upgrade” will at least get the uninformed end user asking questions of the webmaster?
Yea, its sad that people will see that and think it has to do with WordPress in general.
I’ve found then updated properly the thing is a freakin tank.
Geez, he’s Al Gore and he has enough money to hire someone for maintaining a WordPress blog. It’s sad.
Well you’d think someone with the kind of support behind him like Al Gore would have plenty of people warning him of updating his website software. Maybe not, time to start reworking my resume. Oh Mr. Gore..
No surprise that the blog software is outdated–the blog itself hasn’t been updated since September of 2006.
The sad truth is that many many people either don’t realize or don’t care about updates. They’re used to the desktop program paradigm: “I’ve been using this same program for a year now and it works fine: why should I upgrade?” The web is so much different, and it’s a steep learning curve for some people.
Looks like that blog hasn’t been updated since September of last year, at all. Hmmm…
I think you need to have another WordPress 2.3 Upgrade party and make sure an invite gets to Al through his people. That way he can spread the word and prevent things like this from happening to high profile people in the future. Ha ha, I’m a little tired. 🙂
I think it’s that they don’t care that much. If it was working for them, why would they need to upgrade? I don’t know if you would consider this to be an enterprise environment, but I’m sure that they don’t want to have downtime just to upgrade their WP install. I bet it was probably installed through Fantastico or maybe they hacked core files and they don’t want to go through the whole process of creating diff files and merging changes. They may also be incompetent, but that’s an opinion.
Sadly, you will always be judged by the worst possible standard and the worst release ever available. It’s human nature, I think.
OTH, you might be able to get WordPress quite a public relations coup by offering to help them upgrade for free, aside from a post thanking you for the help.
That’s not a bad idea. I’ve thought about doing something like that before, and maybe now’s the time.
Speaking of WordPress security, I also want to point out that http://www.webdesignerwall.com got hacked last week. I believe(not 100% sure as I’m not a server expert) it was because I left the “wp-config.php” file permission to 777, and someone(hacker) was able to find out my database information. I quickly recovered the site by changing the permission and database information.
So, to all WordPress users, don’t forget to double check the file permission on your server.
It definitely blows that WP gets judged by this sort of poor management, but is there a really really simple way to upgrade to the latest version without having to worry about losing your customisations or any entries?
I’ve just had a look at a plugin that claims to do this, Word Press Automatic Upgrade.. Going to give it a try this afternoon…
Matt, I made an executive decision by myself on behalf of other members ( 😛 ) that we would capitalise it as “Install4Free”. 🙂
I would imagine they haven’t bothered updating their install as the blog itself hasn’t been updated in over a year.
An update4free service could prevent this type of scenario but it would involve a lot more work (backups, plugin compatibility testing, etc) than the relatively simple installations.
Upgrading: the easiest thing you can do to protect your blog. I can see how it might be daunting if you have a lot of custom files and don’t want them to get erased or have to put them all back after an upgrade, but the benefits of having a more secure blog far outweigh the rather minor inconvenience of having to back everything up. Better than having to put everything back together after being hacked, I think.
It’s the same thing with Workstations. There are still WinXP boxes around without a servicepack… it’s that typical ‘why should I care about?’ or ‘what does a hacker might want from my PC/site’.
Ignorance is a bliss.
When I set up a WordPress blog for a customer, I tell them that it is *critical* for WP upgrades to be handled promptly. Fortunately, each of my current customers has me managing their blogs, so I install their updates at the same time that I do mine.
Lately, I have found that I can do virtually any WP update inside of ten minutes. It isn’t difficult to do, but it is easy to overlook.
Unfortunately the file permissions required to make one-click upgrading possible would also open the blog up to problems like the one Nick La describes above.
The trouble with upgrades is that there is a much greater possibility of getting something wrong, i.e., losing all the client’s data. For me, upgrading (without SVN) has always been a surgically-precise operation — one mis-click in the FTP client and, my photoblog client’s uploaded photos have all been deleted, for instance.
Just doing installations (a.l.a. Install4Free) has a much higher success rate, and we are able to do them quickly. I can do a WordPress installation on a cPanel server in under 5 minutes. Upgrades would take much longer, and don’t forget: Install4Free volunteers do their installs in their spare time! We wouldn’t have much time for anything else if we did upgrades as well.
Another thing: upgrades are slightly easier than installations, because there is no database setup involved, as long as you don’t delete
wp-config.php
. I suspect that 99% of the people that call up Install4Free for installation help do so because of difficulty with database setup. With that out of the equation, it suddenly gets a whole lot easier.Finally, if people don’t want to have bear the pain of upgrades that break everything, they can stick with the 2.0 legacy branch. Al Gore’s webmaster wouldn’t have had much trouble if he’d stuck with that. Or, got VIP hosting on WordPress.com. I’m sure Al Gore would be able to find enough coins in his couch/bank account to pay for that. 😉
Weird. You’d think the guy who invented the internet would know better.
/sarcasm 😛
He just didnt want to waste any energy upgrading!
But, but, he had a consensus of scientists who all agreed he didn’t have to upgrade.
Anyone who insisted he upgrade were obviously in the pocket of Big WordPress.
I guess I’m the only one here running Zirona’s Instant Upgrade plugin? Am I leaving myself wide open to be hacked?
p.s. FWIW, my wp-config isn’t set at 777
Keep your blog updated, lock down your wp-admin folder using .htaccess to allow access only from your IP(s). Also chmod the uploads folder to 755, and change it temporarily to 777 when you need to upload something!
Actually, Dreamhost does have a “one click” upgrade and they tag the previous version with “Old.”
Hey Matt,
I use this. WPAU : http://techie-buzz.com/wordpress-plugins/wordpress-automatic-upgrade-plugin.html
I don’t know if you don’t endorse it or what not, but it seems to do the trick.
Here is my upgrade procedure on Linux server, using putty to ssh to my server logging in as root:
1. wget latest.tar.gz into /home
2. tar xzf latest.tar.gz which creates /home/wordpress
3. cd to /home/username/public_html
4. cp -r /home/wordpress .
5. mkdir wp2.x
6. mv wp-includes, wp-admin into /home/username/public_html/wp2.x
7. mv *.* into ./wp2.x
8. cd wordpress
9. mv wp-admin ..
10. mv wp-includes ..
11. mv *.* ..
12. rm -r -f wp-content
13. cd ..
14. rmdir wordpress
15. cd wp2.x
16. mv wp-config.php ..
17. move any other necessary files to ..
18. cd ..
19. mv wp2.x .. (takes it out of the public_html directory)
20. chown of all the directories and files to the username and groupname
21. open the web site and click the upgrade link
That’s it.
The wp-content directory is retained as is because it has my theme(s) and plugins. If a built-in plugin has been upgraded, then I’ll overwrite that last. If a theme gets upgraded, I load it alongside my existing one and manually copy across my edits (slow process).
So I don’t copy files over my existing wordpress files, i do what amounts to a fresh install.
oh yeah, and i do a complete backup of my mySQL database prior to the upgrade. So far I’ve never deactivated any plugins prior to upgrading, and not had any problems.
@Richard – you would be in in the 0.01% of the blogging population who understands what you wrote, let along be able to do it. Hence the need for a simplified update process.
Even as a web-developer myself, I still rely on Fantastico’s auto update process for most of my WP installs…
Seems none of the sites are crediting the original Author of the story:
http://www.earnersblog.com/wordpress-hacked/
Anyway, seems to be fixed now.
The guy invented the Internet — he never said anything about being the one to do the upgrades.
(Sorry, I had to — it was there.)
It just begs the question why his people weren’t upgrading, when all of us see the same feed messages coming through the back-end to point-out that there are security fixes out. Thus, why anyone would really hit WordPress on that issue, is beyond me.
when using open-source app, it is the responsibility of the administrator to have the site’s software up-to-date. it is very true that automatic upgrades will only open to more security risks.
it’s just a simple upload of files, anyways!
Agreed with Valerie; you’d think he would have seen this coming when he invented the internet. That’s what he gets for not going the extra mile and inventing better security.
And the WordPress Automatic Upgrade plugin mentioned above…I heart. It’s great.
To be honest the whole “Oh, upgrades are so difficult” issue is really just a case of more people needing to learn about Subversion. All my sites are on the latest stable branch with a cron job to run
svn up
every night. I then just switch the branches when a new major version comes out—not terribly difficult. And before someone says that doing that requires more technical knowledge than most people have, I should point out that firstly it’s very easy to learn (in point of fact, I learned about it initially purely in order to do this) and secondly, all the information is already out there (on the Codex, on blog posts etc.).And here’s MY method of upgrading, using putty as well:
1 – Make a backup of the DB using the WP_Backup plugin
2 – tar cvfz hd.20071108.tar.gz homedeco >/dev/null
(Make a backup on the server)
3 – svn sw http://svn.automattic.com/wordpress/tags/2.3.1/
(use svn to get the latest version)
4 – Clck the upgrade link
I found it to be quicker than the normal 10 – 20 steps needed 😉
I’m pretty bad about upgrading my WordPress.
Until recently, I was running 2.1.3 (unpatched)…
Then I stumbled across this:
http://www.waraxe.us/ftopict-1776.html
I mean, I *knew* you’re supposed to upgrade, and that previous versions were vulnerable, etc… but when I was able to run the md5 cracking scripts against my own blog, and find the md5 of my password.
Then edit some cookies in Firefox, login to my own blog as admin. Well, that kind of scared the crap out of me…
Needless to say I upgraded!
Maybe they dont want to upgrade, did you ever consider that?
I’m on WP 2.2 and I dont ever see myself upgrading past that. The changes to my wordpress theme files are just to complex and there are no ‘features’ I want in 2.3 (yet ironically enough theres plently which arent in there but ive wanted for years) but plenty of hurdles to upgrading.
If it were easier to upgrade without one of the 3rd party plugins and not make such radical changes to the functions in the underlying template code then im sure more people would upgrade.
As it is, dont assume it’s lazyness – there could well be a perfectly valid reason.
What? The father of the internet should know better! He invented the internet after all!
Simple Machine Forum has a simple upgrade script. It’s been a while since I used it, but you basically upload a file to the server and it handles the download and install of the updates.
I use the shell upgrade method when updating my WP installs, but even that is time consuming compared with a script that could easily automate the whole thing.
We definitely need something like this in the WordPress core – if you can notify us when a version’s out of date, the next step is to offer an automatic upgrade via the dashboard.
That’s a little ridiculous to be a well known political figure and not have your websites constantly maintained. This hacking does not show problems with WordPress, its a lack of responsibility for the webmaster.
Looks like they fixed the issue but they still haven’t upgraded.
I wouldn’t trust those automatic or one-click update. What about the custom theme and plugins?
Nick La, I upgraded to 2.3.1 using the WordPress Automatic Upgrade plugin that Paul mentioned and it doesn’t touch your wp-content directory [FAQ]. Worked fine for me.
Been known for quite some time:
http://www.earnersblog.com/wordpress-hacked/
Wow 2.0.4 eh? Don’t they know how to upgrade? I mean it is so easy as uploading files and running the upgrade script, but then one of my blogs is still stuck at 2.2.3, but of course being very busy I have a lot of things to concern about, but when I get time I will do an upgrade.
Upgrading should be made easier.
There are already “one click installers” that work around the 777 problem nick mentioned – They tell you to change file permissions directly before needed and refuse to go on without setting it back.
mybb does that (beside of other security issues 😉
The solution could definitly be a step by step installer/upgrader-wizard that prompts you what to do and helps you with reference links if you don’t know how to do it. MyBB for example refuses to work if any unneeded 777 permissions are set after install/upgrade.
Greets from Salzburg,
Johannes
I have 5 blogs and tried to update on one of the blogs. The dashboard says it still needs updating, and I can’t figure out what I did or didn’t do. I’m scared to update my other blogs as I have way to much custom things in it… I’m not really a techy person – just techy enough to hack a bit of css, but not enough to ensure that I know what I’m doing when it comes to an upgrade. I’d love help that allowed me to do it myself, but helped me make sure I didn’t screw up.
Al Gore likes Macs… it was probably malcor!!!!
Seriously, is anyone on the official development list going to comment on:
http://www.glennwolsey.com/2007/11/19/back-to-regular-operation/
http://macapper.com/2007/11/21/screw-you-malcwhore/
Upgrading would be a *lot* easier if the wp-content folder was not within the tree of the main install, but outside it.
The result is the sort of complexity noted at:
http://photomatt.net/2007/11/27/al-gore-hacked/#comment-433546
Could there not be some better folder structure like
/.htaccess [which probably wouldn’t change much]
/wp-content [the content]
/wordpress [the application]
Thus upgrading wordpress is simply a matter of replacing the /wordpress directory with the new one, and not moving anything else.
it’s funny… when microsoft identifies security holes and releases patches so quickly, the open source and linux community bashes them for not releasing secure code in the first place… but when open source folks put out swiss cheese, and release patches every 5 minutes, they blame the users for not updating in a timely fashion.
The password probably was ‘butterfly’. hehe
Aside from any problems with not having a GUI to update in the admin, wouldn’t you think that Gore’s people would have someone on staff who knew how to update their WordPress, even if the do have to do it the “old-fashioned” way?
Don’t worry “dude”, we get bashed plenty too. (See above.)
When people with non-updated Windows installs get spyware/virus infections, Microsoft gets blamed. It might not be entirely fair, but that’s how it works.
Perhaps if WordPress were to use a ‘quick upgrade’ system (like Firefox, for example, although it’s obviously more complicated with a web app like WordPress).
At the moment upgrading to a new version of WordPress is a nightmare. If I want to stop it nuking my existing theme and customisation, I have to download the new package, use WinMerge to compare the files with the old version, delete the files that haven’t changed, and THEN upload via FTP.
If an auto-upgrade feature isn’t feasible then at least providing a ‘changed files only’ package for new versions (games have done this for years – you can get the big 100Mb install or the ‘v1.4 to v1.5 patch file’)
Don’t worry, I don’t judge WordPress poorly… I judge Al Gore and his IT staff for spending too much time worrying about friggen polar bears.
Actually, Dreamhost does have a “one click” upgrade and they tag the previous version with “Old.”
Johannes,
I’ve tried MyBB and its an absolute nightmare to upgrade, I just did a test upgrade on my home sever today and I completely stuffed up, I found their online documentation rather confusing which made be botch up the upgrade, there is quite a few steps which really scares me, thus why I myself sometimes fail to upgrade. It would be lovely if they had made the upgrade process simpler.
With WordPress though, all I do is uploading the files and then run the upgrade script and boom its instantly upgraded, its pretty simple. However there are a few hurdles if you use plugins and/or themes sometimes. Surprisingly not one of my upgrades has ever gone wrong. 😀
SMF has a very good graphical updater which further simplifies the upgrade process, that would be nice for WP but I am happy just to upload new files if thats the case.
I have some custom things that I’ve done to my WP and wouldn’t want an auto-update feature because it would break lots of my stuff.
I’d suggest having it as an option if it all.
N’th-ing the “it is the admin’s fault” comments too, btw
I’m following up from http://pseudo-flaw.net/log/20/more-random-wordpress-blogs-and-al-gore-owned-by-seo-spammers
seem like more blogs is being game by blackhat spammer.
There should be a plugin for comparing checksum in wordpress.
Wow, I didn’t realize upgrading was so difficult for some.
My Direct Admin interface I offer through my hosting supports two click upgrades and I’ve had very few problems with this and none directly related to the core WP product or Direct Admin’s upgrade process.
Glad Dreamhost has something similar. . .
I wouldn’t run WP if I had to run through the hoops some of you are talking about.
G
And uptades often do bad things to non-English characters, such as Ã¥, ä, and ö. Which happens to be very inconvenient if you’re writing in Swedish.
//JJ