WP 2.5 Security Bulletin Is False


This is a guest post by Jeff Chandler of Jeffro2pt0.com.

Over the past few days, news of a possible multiple SQL injection vulnerability in WordPress 2.5 was spreading across the WordPress community like wildfire. However, Matt Mullenweg has published a post which puts our fears to rest in that the bulletin was falsified. Matt’s post also contains a wide assortment of helpful information in regards to why you should upgrade your version of WordPress to the latest stable release. One of the more interesting portions of his post discusses the most common reasons Matt finds as to why people don’t upgrade their WordPress installation.

  • I’m scared something will break, or I don’t know how. Ask a friend to help or hire a professional on the aforementioned wp-pro list. Long-term, try to use a plugin like WPAU or a host that will do upgrades.
  • One of my plugins doesn’t work with the new version. This is getting rarer as we have a very public testing cycle for plugin authors to try their stuff with the latest version, but still common. I would suggest checking for an upgrade to the plugin on the author’s site, contacting the author about the incompatibility you found, maybe even donate some money, or finally search for an alternative plugin that provides similar functionality but works with the latest and greatest version of WordPress. In the big picture, though, having a secure site is much more important than the functionality of a single plugin, so you should seriously consider turning off a plugin for a few days instead of putting off core upgrades.
  • I don’t like the new version, they moved my cheese. We believe every new release is better, but sometimes people just aren’t comfortable with a change, which is fine. The good news is that we constantly improve things based on feedback, including interfaces, and that more importantly for almost everything you can imagine annoying you there is a plugin that changes it. For example in 2.5 the page is fixed-width to allow for greater readability, but there’s a plugin to make it stretch to the full width of the window.
  • I modified core files, so upgrades are hard. You should never ever modify core files in WP. If you find you have to, file a ticket for a new hook or filter so your modifications can be a plugin — it makes things so much easier.
  • Upgrades are too frequent. If it takes you more than 5 minutes to upgrade your blog, you’re doing it wrong. Historically we do a major release about 3 times a year, and a minor release about once a month. Minor releases almost never break anything, so they are the easiest. (And often the most important.) WordPress is fast-evolving software, so this is a good problem to have.
  • I don’t know when there’s an upgrade. No excuses here. Since 2.3 we include a big honking notice at the top of your dashboard when there’s a new release available. It’s also worth subscribing to our dev blog, it’s not like it’s going to flood your RSS reader.

You can check out Matts post here and rest assure that so far, WordPress 2.5 is still safe to use.

12 thoughts on “WP 2.5 Security Bulletin Is False

  1. I was just reading his post when this article came up in my reader. Some of the points he makes go against what Pro Blog Design wrote yesterday, and while I agree that it doesn’t take long to upgrade and it is worth it for the security, I stand by my point that non-techy clients will not enjoy the big changes such as the admin redesign. I’ve had enough trouble explaining the basics of prior versions to some without having to tell them to forget it and spend hours (note: money) re-educating them.

    For big changes like this it would be nice to see some sort of option for the admin end to mimic the old design, at least so we can get them up to date security wise while we work on education material and arrange for time/budget.

  2. I am curious how other people have handled upgrades for their clients in the past? I normally charge, however clients tend to get upset because the updates Are so frequent that they feel they are being extorted. Is there a better aT to handle this? I know there is a plugin but I am weary of it breaking an install all together?

  3. Funny, my wp blog just got taken out by what seems to be a SQL injection. I basically got about 500 comments added in a very short span of time, from what it looks like in the SQL I’m recovering from the DB (maybe a minute or two). For some reason, that corrupted the backup of my WP-options page in the database, and that forces me to reinstall.

    Now maybe it’s unrelated to the security bulletin you’re linking above, but I find it very odd that this very morning, you’re telling me that it’s false when I have an issue that seems awfully similar to what’s described.

  4. I find WordPress upgrades to be very quick and painless. I upgraded to 2.5 in less than 10 minutes without breaking anything and all of my plugins still worked. I did try it on a test site first before I applied it to my live site.

  5. I have yet to hear of any negative experience of using the WordPress Automatic Upgrade Plugin. Just the other day I listened to someone on skype use that plugin to upgrade to 2.5 and it went through without a hitch. I know in the future, WordPress is looking at integrating that plugin into WordPress to make upgrading much easier.

  6. Pingback: El Boletín de Seguridad de WordPress 2.5 era Falso | Ayuda WordPress

  7. Pingback: WordCast | WordCast 10: The WordPress Widget Mafia

  8. Pingback: Bitwire.TV » Blog Archive » WordCast 10: The WordPress Widget Mafia

  9. Nothing seems to be easier than seeing someone whom you can help but not helping.
    I suggest we start giving it a try. Give love to the ones that need it.
    God will appreciate it.

Comments are closed.