post-page

Are You Responsible Enough To Run WordPress?

118
responses
by
 
on
September 12th, 2009
in
WordPress Security

I’m pretty sure by now that you’ve heard about the worm attack on older versions of WordPress. In the trail of destruction, I’ve been reading quite a few blog posts regarding the attacks along with comments attached to those posts and quite honestly, I can’t believe some of the comments I’ve read. One of the most absurd comments I came across stated that upgrading was not an option for them. How on earth do you put yourself in a position where upgrading is not an option? Might as well just leave the door open so the bad guys can come in freely.

Unfortunately, the blame game has come back in full force with those affected generally blaming WordPress, and those not affected blaming users who failed to upgrade in a timely fashion. The bottom line is, the issues that lead to this worm attacking older versions of WordPress was fixed in WordPress 2.8.4 which was released on August 12th. When it comes to a security release of WordPress, I take it seriously and don’t mess around with upgrading my site. I think Matt Mullenweg puts it best in his article which explains how to keep WordPress secure.

A stitch in time saves nine. Upgrading is a known quantity of work, and one that the WordPress community has tried its darndest to make as easy as possible with one-click upgrades. Fixing a hacked blog, on the other hand, is quite hard. Upgrading is taking your vitamins; fixing a hack is open heart surgery. (This is true of cost, as well.)

While WordPress has lowered the bar of entry to publishing content on the web, one constant remains, the responsibility of running your own website. This responsibility includes making sure that your webhost is doing its job, that the various layers and technologies which make WordPress tick are fairly up to date and locked down. These layers include but are not limited to PHP, MySQL, folder-file permissions, etc. Dave Coveney also brings up the point that security is more than just WordPress.

Even if you have the very latest version of everything there are, out there, what are known as zero day exploits. These are vulnerabilities which are kept secret by the hackers who have found them. They cease to be secret if they become widely used in a large scale attack. Like the current one against WordPress.

You can’t just upload WordPress, perform a bunch of customizations, install 50 plugins, 50 themes, and think everything will be fine from that day forward. WordPress along with the associated technologies are always evolving. That means your site must evolve as well.

One of the commonalities between most of the comments I’ve read regarding the worm attack consisted of upgrades breaking themes or plugins. Based on experience, I have never experienced a problem with a plugin or a theme completely breaking my site thanks to an upgrade. Sure, I’ve had times where some of the theme or plugin functionality broke because of a deprecated function or changed behaviour, but that’s about it. Generally if an upgrade breaks a site, it’s because of a poorly coded plugin or theme. I can’t believe this attitude that functionality trumps security. There are hundreds of plugins within the repository, if you’re afraid of one breaking or feel that it is not compatible with the upgrade, deactivate it until an update for it is available or use a replacement. Missing a small portion of functionality is better than having your entire site compromised.

But I Didn’t Know

This is by far the lamest excuse I’ve ever heard. When a new version of WordPress is released, here are the following ways you can find out.

Log into your dashboard and look for a colored message in the top center of your screen which says something like WordPress X.X.X is available! Please Update Now. The link will take you to the one click auto ugprader.

Activate the WordPress Development Blog dashboard widget. This will show you the latest posts from the WordPress development blog. If there is a new update, there will be a new post saying so.

In the bottom right corner of the administration panel, there will be the text Get X.X.X. This is a link to the one click upgrader letting you know you’re running an out of date version.

Follow the WordPress blog account on Twitter. @wordpress this account is managed by the WordPress team and usually will contain links to blog posts regarding new releases.

Follow blogs that report on the happenings within the community. The WordPress community does a great job spreading the word when a new version is released.

WordPress does maintain an announcement mailing list that you can subscribe to by checking a box in your WordPress forum profile but in my opinion, they have done a terrible job utilizing that list.

The Decisions You Make Today Shape Your Tomorrow

One question you should ask yourself before installing any theme or plugin is whether or not it will prevent you from upgrading. The same holds true for custom development work. A theme or plugin that is custom developed which does things in such a way that makes upgrading a pain means they developed it wrong. For starters, no one should ever hack any of the core files. Secondly, developers should use hooks and existing APIs to achieve functionality. If the functionality does not exist, they should create a ticket in Trac and request that a particular hook or API be added to core so core edits do not take place.

WordPress Can’t Do It All

WordPress has made it incredibly simple to upgrade with the addition of the one click upgrader yet so many still don’t seem to upgrade in a timely fashion. I realize the auto upgrader does not work for everyone but there are alternatives. It’s getting to the point where it seems as though the only way to curb irresponsibility is automation of upgrades. However, I believe this would create more problems than solve. Since automation is not likely to occur, the responsibility falls back on you, the individual. Take that responsibility seriously.

heading
heading
118
Responses

 

Comments

  1. web page designer (1 comments.) says:

    You really can’t blame WordPress though. Any platform that grows that large will become a target. It’s just like the reason why there are so many viruses for Windows, and not for Macs. In the end, it is the responsibility of WordPress to inform its users of the vulnerability, but the blame falls on the shoulders of those not willing to upgrade.

    • Jeff Chandler (171 comments.) says:

      And I think WordPress does a good job informing folks of not only when upgrades are released, but also when they push out upgrades that specifically address security issues instead of waiting. There are some things that can be improved in the entire process but overall, I don’t have any real complaints.

      • Brian Carnell (15 comments.) says:

        I have to disagree…WordPress does not do a very good job at all of notifying end users of important upgrades. Some of us have blogs where we might not log in to our WordPress install for a few days at a time…I had upgraded to 2.8.3 by chance when it came out, but completely missed any notification about the worm until my wife happened to see it on Twitter.

        This plugin does a good job of notifying, but its sad that, as is typical with WP, what is a very basic and important functionality requires yet another plugin:

        http://wordpress.org/extend/pl.....-by-email/

        • Bakari Thomas (1 comments.) says:

          That’s kind of your on fault. You should already know that almost every piece of software out there has updates. It’s not the company’s responsibility to come hold your hand, tell you to upgrade, and do it for you. They’ve put in place several methods by which you can be notified and if you choose not to use them, then it’s your fault.

          • Brian Carnell (15 comments.) says:

            Bakari wrote:

            “That’s kind of your on fault. You should already know that almost every piece of software out there has updates. It’s not the company’s responsibility to come hold your hand, tell you to upgrade, and do it for you. They’ve put in place several methods by which you can be notified and if you choose not to use them, then it’s your fault.”

            Typical cluelessness. The only notification I can find is the form on the wordpress.org site. The problem, of course, is that *lots* of people get WordPress from somewhere other than WordPress.org…ah, but they’re probably dumbasses and its their own fault when they get owned for not being as uber-techy as you.

            WordPress did an excellent job building in autoupgrade (though I’m sure from your POV it’d be much better to force everyone to go back to using FTP). They need to go one extra step and allow users/admins to enable e-mail notification from within WordPress.

            An e-mail from the specific WordPress saying “Your blog at http://www.yoururl.com/ needs upgrading immediately, visit http://upgradepathurl/ to do this” is going to be much better than following Yet Another Mailing List.

          • Network Geek (21 comments.) says:

            Well, of course, every blogger has a different “schedule” by which they blog, so I understand not signing into your blog for a couple days, but, that’s where I saw the news about the security problem. On the dashboard, down in the box that’s labeled “Other WordPress News” and also in the box labeled “WordPress Development Blog” there were notifications about the issue and the fix. I understand some people don’t care to have these displayed when they sign into their blog, but, obviously, they serve a purpose.

            So, I’m pretty much going to have to categorically disagree with you based solely on empirical evidence. WordPress does, in fact, do a good job of notifying people using their software of required updates and upgrades, if those users actually use the tools provided.

        • Paul OFlaherty (5 comments.) says:

          Seriously, it’s users like you that drive anybody who actually cares about their website to pulling their hair out.

          Contrary to you rant WordPress informs you multiple ways, you’re just too lazy to take notice:

          1st They inform you through the dashboard.

          2nd They DO provide email notifications for releases, you sign up on the exact same page you download the software from.

          3rd They provide an RSS feed specifically for release notifications, also on the download page.

          Just because you’re too lazy to take an interest in the software that you’re using is not WordPress’s fault.

          What more do you want them to do? Come round your house and upgrade it for you?

          And more to the point, unless your webhost is providing a one click install of WordPress (at which point they also provide the means to upgrade) what are you doing downloading WordPress from anywhere other than WordPress.org? That is a major security risk as anybody could have placed any code they want into the installation?

  2. Jennifer (6 comments.) says:

    This whole always upgrade thing is bugging me, especially with talk of using the automatic upgrade inside WordPress. I install my WordPress sites with SimpleScripts. If I use the automatic upgrade inside WordPress I get problems upon problems.

    First it goes straight to the most recent update, bypassing all others.

    Second, the listing in SimpleScripts does not update stating the new version after I have used the upgrade inside WordPress and I have to click on upgrade in SimpleScripts too for each site, but that means it actually upgrades it AGAIN — leading to problems.

    I’ve had to un-install WordPress a few times because of it awhile back. So now, after having that happen, I only use SimpleScripts to upgrade.

    The thing is though, I go through my plug-ins and themes and make sure they are able to work with the new version first… and if they are not I go looking for replacements for them BEFORE I upgrade.

    Each of my sites go into maintenance mode for as long as looking for replacements takes. I was finally able to upgrade all sites to 2.8.4 yesterday, each site was originally at 2.8 (three of them), 2.8.1 (four of them), and 2.8.3 (one of them).

    I had to un-install one WordPress site because I was no longer able to add or remove widgets. I will not be re-installing it, instead I will find another way to create that particular site since WordPress might not be the best way for it (It was going to be a tutoring website, not yet open to the online public).

    Most of my websites are not even open to the online public yet anyway… I’m still working on them to get them ready for that.

    • Jeff Chandler (171 comments.) says:

      Why have you decided to use SimpleScripts to upgrade WordPress? This is a big problem when it comes to using third party scripts to handle your WordPress site such as SimpleScripts and Fantastico. Once an upgrade is released, those third parties usually lag behind by at least a few days. That could be the difference between a compromised site and a secure site.

      • Jennifer (6 comments.) says:

        I use SimpleScripts because it’s much faster to install all of my sites. I maintain multiple CMS-type sites, I don’t need to waste time trying to download the latest version and then installing it. I’m using WordPress because it was supposed to make this sort of thing easier, not harder. (I will however have to use the download and install method for WordPress MU for one of my sites eventually — I haven’t started working on it yet…).

        By the time the latest version of WordPress is downloaded onto my hard-drive for me to upload it to my host to upgrade each site, SimpleScripts would have already updated to the latest version for upgrading purposes, if not much sooner. I’ve never had a problem with SimpleScripts being up-to-date with the latest version of WordPress though (Drupal is a whole ‘nother story, however).

        As soon as each new version of WordPress comes out I put my sites in Maintenance Mode, I check plug-in compatibility, and I check SimpleScripts (on the same day I find out there is an upgrade available) and there it is telling me Upgrade Now!

        • Jeff Chandler (171 comments.) says:

          So is it the fact that the one click auto upgrader inside of WordPress does not work for you? It does the same thing SimpleScripts does.

          • Jennifer (6 comments.) says:

            I’ve never had a problem with SimpleScripts upgrade of WordPress, but the auto upgrade in WordPress, as stated, is a completely different story.

          • Jeff Chandler (171 comments.) says:

            Did you have WordPress auto upgrade problems before your use of SimpleScripts?

      • Babs (37 comments.) says:

        I agree with you about Fantastico, even though I do continue to use it for all my installs.

        However, ever since the time WP released an upgrade to fix some major security issues and it took 10 DAYS for Fantastico to make it available I have done all my upgrades either manually or through WP’s upgrade system. My hosting company’s owner would have my head if I didn’t. XD

    • Mizst (2 comments.) says:

      Why didn’t you just use SimpleScripts to upgrade? Why did you do it twice?

      I believe WordPress replaces all your core files (not patching them) so going straight to the most recent version has no detrimental effect.

      Most plugins actually work well beyond their stated version. In any case, security bugfixes won’t affect plugin functionalities. Only major upgrades with changes in features will do that.

      • Jennifer (6 comments.) says:

        Because at the time I was completely new to WordPress. I had just began using it and didn’t know it could have been updated through SimpleScripts by a system of going by each update instead of straight to the most recent. I don’t like that… it makes me worry if it just skips versions. I want to make sure everything is done in order (OCD, sorry).

        I’ve noticed this a bit, but I still worry because I want my sites to be functional not in pieces. I am actually still using some plug-ins on my sites that are listed for previous versions. They are working perfectly fine.

    • Anand (1 comments.) says:

      ou really can’t blame WordPress though. Any platform that grows that large will become a target. With multiple blogs there’s always an incentive to procrastinate, and if you decide to go out of town on vacation during the wrong week you can get stuck in a bad spot when you come home.
      myself runing two blogs 1. http://aglasem.com/updates 2. http://dcetimes.org/wp . they are working fine with no error..
      By the way, people saying how wonderful WordPress is might think about whether a system that requires so much vigilance is really a well designed system, and whether the relatively simple functions of a content management system should require so much complexity.

    • joecr (3 comments.) says:

      One thing no one else mentioned is that SimpleScripts is now supposed to have the ability to tell that you upgraded manually on a script that you installed or a link to click on so that it can tell the change was made. So upgrading inside WordPress shouldn’t break SimpleScripts if that is the case.
      I just check & if you click on “Advanced” it has an option for that on my WordPress installs that were made through SimpleScripts.

    • Ben (1 comments.) says:

      SimpleScripts was designed with the shortcomings of Fantastico in mind; the biggest of which from the user standpoint was upgrade times and data integrity issues. SimpleScripts has WordPress upgrades available within hours of release, and makes it easy to roll-back if you have issues with plugins or themes, etc. Its main focus is to help expose new internet users to the open-source world and garner support for those making great apps such as WordPress.

      Advanced users may not find those features particularly necessary or useful (especially if you are used to taking backups by command line) but for most people (especially those with multiple blogs to manage), SimpleScripts really makes upgrading easy. SimpleScripts currently maintains over 200,000 active WordPress blogs alone, and while the main motivations vary, SimpleScripts users enjoy the one-click upgrades and email notifications anytime a new version is released (some users don’t login to WP more than every few days, so email notifications are critical for staying up-to-date).

      In addition, SimpleScripts offers the ability to import existing installations (installed by fantastico or manually), and if necessary, manually update version information if it has changed externally (@joecr thanks for pointing that out).

      @Jennifer: Thanks for staying updated!

  3. Steve Hall (5 comments.) says:

    Thank you for this, Jeff. I’ve shared it with my Google Reader followers, and I’ll be linking it in my weekly “Recommended Reading” article next Saturday.

    Basically, if people can’t take the time to do a one-click upgrade of WordPress when a security update is released (not to mention a “regular” upgrade!), then they should probably limit their blogging to Facebook. Or Twitter.

  4. gestroud (11 comments.) says:

    Hello Jeff,

    Great article. While I agree with the vast majority of it, I can’t fully subscribe to the statement “Generally if an upgrade breaks a site, it’s because of a poorly coded plugin or theme.” It’s a little too general and possibly insulting to some plugin developers.

    For some users, certain plugins are the central part of our sites. Photo galleries, Forums, Review sites, and Classified posting, for example.

    Many of these plugins don’t fall under the “poorly coded” description, but they may — and sometimes do — cease functioning fully when a WP upgrade is installed, especially if it’s a major version change. 2.0 to 2.+ comes to mind.

    This can leave some of us running web sites with a few different options.

    1. Don’t install the upgrade, leave the site open and hope for the best. NOT a good choice

    2. Install the upgrade and lose your site’s functionality until the plugin developer(s) upgrade(s) the plugin(s). Safe, but not very practical.

    3. Close the site until the plugin developer(s) upgrade(s) the plugin(s). A fairly wise choice.

    4. Keep a 24-hour surveillance over the site’s access logs and database entries and a convenient supply of No-Doze. ZZzz

    5. Devise a means to develop similar functionality for your site without using plugins. Challenging, but not always possible — especially for non-coders.

    So yes, upgrading is certainly important, particularly security upgrade. But it is not always immediately practical. And while the fault may occasionally lie with plugins that are poorly coded, it’s generally not the case in my experience.

    • Jeff Chandler (171 comments.) says:

      Well you’ve indeed made some good points but based on all the feedback I’ve heard, the plugins which cause breakage that are not poorly coded are the exception rather than the norm.

    • Ncus (1 comments.) says:

      Disagree. A good programmer or template maker will update their plug-ins in mater of hours to couple days.

      I have been using WordPress since version 1.x and haven’t had any plugin that causing my wordpress installation to work. I never ever pushed my installation into something what wordpress main function, which is simple blog/content management system. If someone use wordpress as a forum CMS, than he is choosing the wrong platform.

      I have been making WordPress theme and quite understand how WP themes works. And it seems wordpress plug-in works flawlessly without updating the plugin with new WordPress.

      • gestroud says:

        Well…you can disagree, but it’s those hours or couple of days that matter. A lot can happen in that time.

  5. Lynne Gordon (1 comments.) says:

    Well I really expected something better than some guy stating the obvious but it must be necessary because of everyone who didn’t update in time and got mangled.

    I have been guilty of delaying updates also because I had just written my latest ‘super’ post and I didn’t want to take a chance on the update screwing up my entire system.

    I guess I delayed updating many times because I didn’t trust WordPress.

    After this scare, though, I have decided to trust WordPress over the possibility of getting hacked.

    • Jeff Chandler (171 comments.) says:

      Well, it would be nice if I didn’t have to state the obvious but from all of the comments and blog posts I read, I felt it necessary to once again remind people that running a site powered by WordPress is a responsibility. One that not many people were taking seriously.

  6. Jennifer (6 comments.) says:

    Because there is no longer a reply link after your last response, Jeff…

    I never used either upgrade before then. I was completely new to WordPress. I used the WordPress automatic upgrade first, and when problems started occurring I began to look for causes.

    I deactivated all plug-ins, went back to the default theme but there were still problems, so I logged into SimpleScripts where I had originally installed it from and it didn’t list it as actually having been upgraded so I clicked on the upgrade link.

    I went back to the site to see if that might have fixed the problems, but to no avail… so I un-installed that WordPress and didn’t upgrade my other sites.

    My web host is a major pusher of SimpleScripts, they want to use it for almost everything.

    • Jeff Chandler (171 comments.) says:

      Ohh so it sounds like you installed WordPress through SimpleScripts, then tried the Auto Upgrade built into WordPress which caused problems, then you tried SimpleScripts with no luck and now you just use SimpleScripts instead of the built in upgrader.

      It makes sense now. It’s like people who install WordPress through Fantastico but use the WordPress upgrader to upgrader their sites which over rides the Fantastico stuff leading to problems. People have to stick with one or the other, they can’t use both or you get problems.

      Whatever the case may be, you are upgrading WordPress when need be however you need to get it done while doing other plugin compatibility checks and those are sure signs of a responsible person running a website.

    • Mizst (2 comments.) says:

      I suspect that some other causes were affecting your install somehow, because I’ve also used WP’s auto upgrade on SimpleScripts-installed WP before and it does work. (Mine is on Bluehost.)

      Also I’d like to note that even if you upgraded it either with WP’s auto upgrade or manually by FTP, there is an option in SimpleScripts (under “advanced”) that allows you to tell it what version of WP you’re running, without going through the upgrade twice. If you select the latest version then the upgrade prompt will disappear.

      • Jennifer (6 comments.) says:

        Hm, I didn’t know that about SimpleScripts advanced links. Thank you for letting me know, but I still probably won’t use the auto-upgrade in WordPress and will continue to use the one in SimpleScripts.

        My host is HostMonster.

  7. Peter Green (4 comments.) says:

    I just want to give a huge thank you to all the WordPress team for giving us WP!
    I don’t think people appreciate you guys enough!
    Peter

  8. Jayne d'Arcy (9 comments.) says:

    Excellent article. I love the automatic updater. I maintain two sites and we began with the Fantastico to install WP. I was aware of cautious articles out there about relying upon Fantastico so the minute I was able to get away from it, was great. The updater is now so stress free, that the owner of the second WP site, is confidant in handling his own upgrade. As to plugins that cause problems, I look at plugins as something you may not be able to use forever. The two blogs I have running under WP do use plugins, but with the knowledge that if a plugin isn’t compatible, I either look for an upgrade, or the plugin must go.

    • Jeff Chandler (171 comments.) says:

      I pretty much have the same view on plugins. They provide me with the functionality I need at the time but I won’t be able to use those plugins for ever so I’m always keeping an eye out for replacements.

      Also, with each plugin I add to my own site, I add that much more complexity to the system. The more complexity I add, the harder scaling and upgrading will be.

  9. Tiffany (1 comments.) says:

    I have been wondering about this because I get on some of the older ones and get directed out right away because my screen comes up and says < Warning! Site Attack! Or something like that and it redirects me out and it has hit a couple of those websites right there. Thanks for that because I was getting concerned.

  10. Squarespacer says:

    This is one of the many reasons I use Squarespace. They do the updating for me, and my site doesn’t break.

    Oh wait, that’s two reasons.

    • Mark Ghosh (386 comments.) says:

      If you were using WordPress.com, you would not have to worry about any of this. Squarespace is hosted and so is WordPress.com

  11. Benedict Eastaugh (17 comments.) says:

    Frankly, if you can’t manage to run svn update (or switch, if it’s a new major version) when a new version comes out then you probably shouldn’t be running your own website.

    • Benedict Eastaugh (17 comments.) says:

      Here’s a script to automate things: just set up a cronjob to make it run every night. That way you can keep multiple sites up to date (assuming they’re on the latest stable svn branch) with no ongoing work whatsoever. Obviously you’ll need to change the site paths to reflect your setup, and
      the list of files to be deleted (index.php is in there because I run WordPress in a subdirectory; if you don’t, remove it from the list!).

      http://gist.github.com/47744

      You’ll need Ruby (to run the script) and cron access, but these are available on many web hosts, and there are plenty of equivalent scripts for users who only have access to other languages (bash, PHP etc.).

  12. Jessi says:

    Great article.

    My take is this: if someone doesn’t want to upgrade, that’s their problem, but they’ll have absolutely no right to complain if they end up getting hacked. That will be all on them for not upgrading.

    I couldn’t even imagine doing that. I take my sites too seriously to allow that mess. Doing all that hard work only to get attacked? Hell no.

  13. ZKWC (3 comments.) says:

    Upgrading is not an option? Do people really say that?
    I wonder if they are still using MAC OS 8!

  14. Isaac | GoBlogger (3 comments.) says:

    I hope the one click upgrade always works for me, since the manual way seems so sophisticated for me. Non techie person here, just love to blog.

    • Babs (37 comments.) says:

      Before one click became available I downloaded the latest versions then uploaded them to my site via ftp. It wasn’t that hard, though now that some hosts are wanting ftp to be more secure you have to jump through a few more hoops.

  15. sparun (1 comments.) says:

    @jeff
    1. NOT every old WordPress version, will show you the UPGRADE notice.
    2. Follow @wordpress ? Thats a joke. Can you show me Where does the @wordpress inform you, when the glorious, un hackable (until now) version 2.8.4 released ?

    • Jeff Chandler (171 comments.) says:

      This article is based on WordPress 2.8.4 and what that version shows. As I wrote the post, I knew that what I was saying would not apply to some previous versions of WordPress but those are the ones getting hack so I didn’t worry about them.

      As for the WordPress Twitter account, they did not push out a link to the WordPress 2.8.4 release post but they did issue a link to 2.8.3. So I guess they screwed up a bit on that end but generally, whenever there is a new release, they link to the announcement and push it out through twitter.

  16. izzat aziz (1 comments.) says:

    Moral of the story never take upgrading for granted.
    wordpress gives a new version, not for the sake just to show they are heading toward no. It is not only wordpress, plugins also need to be upgrade because I ever heard that hacker using some plugin that poorly secure to hack into wordpress. So beware.

  17. Spence says:

    Also totally appreciating the WordPress team and all they’ve done for us. The tone of this article, however, suggests that anyone using WordPress should be technically adept enough to upgrade. The upgrade path is, to be kind, somewhat difficult for hobbyist-level bloggers. The WP team made it relatively easy to install, but the “Automatic Upgrade” is iffy at best. I haven’t seen it work yet, but I’m one of those lowly hobbyist types.

    I think before bashing on all the less technical out there, one might reflect on the reams of excellent content that is produced by us folks without the IT degree or experience. I’m certain that the WP team is developing a more robust and simple upgrade path. I look forward to it with anticipation.

    Back to my “Three Step Manual Upgrade”.

    Ta.

    Spence.

    • Jeff Chandler (171 comments.) says:

      That certainly was not the tone I was trying to get across. Instead, I was trying to raise the point that running WordPress on a webserver is complex despite WordPress tying all sorts of technologies together to make it seem easy. It’s also a responsibility and I wanted people to understand what that responsibility is, how they can perform that responsibility, and to take that responsibility seriously instead of blaming everything but themselves.

      If the one click automatic upgrade is not working for you, that’s where the support forums come into play. The community will help you out to try and get it fixed.

  18. S.K (23 comments.) says:

    Hi

    Good and timely reiteration of the need for upgrading without tarrying.

    As regards plugins, I have had more cases of some plugins breaking the functionality of other plugins rather than the core WordPress.

    But what is needed is a set of standards for the themes and plugins to follow (at least amongst those listed in WP.org site) so that they do not break anything and also they do not bloat up the blog by scattering .js and .css files all around thus making the blog trickle like molasses in December.

    And the one-click upgrade works like a charm, making me wonder sometimes whether it has actually upgraded or telling me a lie.

    S.K

  19. Jason (75 comments.) says:

    I can certainly understand why some people are not too keen on upgrading several sites whenever an update comes out (regardless of how easy it might have become), however, there are some ways to kill several birds with one stone.

    Type “Hosting Multiple Blogs With a Single WordPress Installation” into Google and you’ll find numerous sites explaining how to do just that. Heck, include the quotes, and my blog will be the first result. By doing this, when an update is released (for the core, or for a plugin), you need only upgrade once and all sites will be updated simultaneously.

    I started doing this after having some abandoned sites hacked, which resulted in having Eggdrop bots running from my host and a bunch of other problems. Since running everything from one installation, outdated installations have become a thing of the past. It’s not a perfect solution, but it’s certainly a heck of a lot better than the alternative.

    That said, there are far fewer updates to WordPress than to Windows or OS X. Why complain about the “constant updates” when our OSes often require even more attention? :P

  20. Miriam Schwab (6 comments.) says:

    Great article that raises important points about the responsibilities involved in running a WordPress site.

    While WP site owners should be aware of the need to upgrade, whether it’s convenient or not, as a provider of WP development services I can tell you that the idea of upgrading is daunting for the regular site owner. And despite the greatness of WP, we’ve had quite a few instances where we upgraded a site and it stopped working for one reason or another. Usually it’s because of a defunct plugin, which for us is easy to fix, but for users who just want to upgrade and have their site keep working, this kind of experience can be too much for them to handle.

    Since we saw this was happening, we started to offer a monthly hosting+WP maintenance package. We regularly upgrade plugins, make sure everything is backed up (database, files and XML), and upgrade the site when needed. This services isn’t only to help our clients, but it also protects us: after we enthusiastically sell WP as the greatest CMS on earth, if it keeps breaking or getting hacked our clients would be unhappy. This way, their sites are secure and working, and we make a little extra monthly income. It’s win-win.

    • Jeff Chandler (171 comments.) says:

      I find it interesting in that the service you offer your clients is almost like being the WordPress.com for them. Since WordPress.com does the upgrading and such and the writer has nothing to worry about.

  21. Ryan (55 comments.) says:

    Thanks for the great post Jeff.

    Unfortunately I won’t help. People still won’t upgrade and they’ll still blame WordPress. I’ve given up worrying about it.

    I’ve heard Matt mentioned automatic upgrades before though, so perhaps that will be rolled into core eventually and solve most of these problems once and for all as users will just have their site upgrade automatically without asking anyway (there would presumably be an option to turn it off, but it is something I imagine would be on by default).

    • Jeff Chandler (171 comments.) says:

      I’ve heard talk of an idea in one of the developer chats where you could perform an automatic upgrade, see if things work but if not, roll back to the previous version. Sort of like system restore on a Windows machine. It’s still at the idea stage though.

  22. Nile (18 comments.) says:

    I just wrote on this September 9th –
    On WordPress Security Straight From Matt : http://blondish.net/on-wordpre.....from-matt/

    There are no guarantees that a script will be safe. There are flaws that can be worked out and I have listened to some hardcore developers on making WordPress more secure from the backend. My suggestion: create a side project, revamp it, and bring it up to Matt and the rest of the world to see it. That is how WordPress has come to be.

    However, I have said even before Matt said it, and this is from a web host standpoint, make sure you are up-to-date. If you have a hacked version, and you understand WordPress enough, go through the logged fixes and apply those. It is a pain, but there are really no excuses from anyone who says they cannot upgrade.

    I ditched my own coded personally hosted haloscan-type script and took up b2, and then WordPress.

  23. Blob says:

    Here’s what happened to me.

    By a coincidence having nothing to do with the recent WordPress security problem, on Friday I edited a page on my WordPress-based web site, and found that instead of accepting my changes, WordPress had emptied all content from the page except the title (making the main section blank). I had a backup, but not being able to edit the page is a problem, and it’s distracting and time-consuming to deal with this instead of working on the article. After some experimentation I realized that the page was too long for some limits that the ISP sysadmin had put in place. This was not a disk quota issue – it was about specific limits for the size of a page in WordPress. After talking to the sysadmin I was admonished to update to a new WordPress version.

    I can understand the sysadmin’s view. Mine is that it’s irritating that, not having changed anything myself, the software that I was depending on had to be quarantined in such a way to make it impossible to write the article that I wanted without upgrading to a new version. It’s not even clear that after upgrading I’d be able to have pages lower than this new size limit (which was imposed because of security concerns about WordPress).

    No problem; just upgrade to the new version of WordPress – easy, right? No. I have a custom theme that my entire web site is based around. Getting this set up involved modifications to the WordPress source. I spent a lot of time getting things to look and work the way I want. I set things up like this (years ago) in part because of the claims of how wonderful WordPress is because it is customizable. “If you don’t like it, you can modify the source! Isn’t it wonderful?” When I set up my web site, in order to avoid versioning problems I attempted to use standard themes and avoid modifying WordPress source, but after many hours of searching I could not find a theme that did what I want without modifying the source.

    I took an existing theme and modified it and the WordPress source. I knew when I did this that there would be versioning problems, but I needed to do something, so that is what I did. I invested several days in evaluating themes, modifying themes, modifying source, and modifying my own content to work within the WordPress scheme. The only other choices seemed to be to not use WordPress, or, to use WordPress and have a site that didn’t do what I want. Over time I have built a medium size web site that depends on WordPress-specific things for formatting code, articles, etc. This is my home page and it is important to me. It contains articles I’ve written, a portion of my Master’s Thesis (but not my PhD thesis), fun pages I’ve set up, photos, and other things that have taken a significant amount of time to create. We are not talking about a matter of just few hours here.

    Now, I’m being asked to update to a new version. People say things like, “It’s unbelievable that someone would say that upgrading is not an option!”

    My view differs. I have not budgeted days to upgrade my site. I’m now being asked to drop everything to upgrade to a new version of WordPress.

    No thanks. I quit. I don’t want anything to do with WordPress now. I’ll probably look for a system that is not subject to this problem.

    That this can happen is obvious, but the next time someone tells you about the wonderful customizability of WordPress, take it with a mine of salt.

    By the way, people saying how wonderful WordPress is might think about whether a system that requires so much vigilance is really a well designed system, and whether the relatively simple functions of a content management system should require so much complexity. WordPress culture seems to be that whenever something goes wrong for someone, it’s the user’s fault because they didn’t do a certain thing a certain way. Well, I disagree. Sometimes it’s the fault of WordPress. I recognize that a lot of work has been done to try to make WordPress easy to use, and that when things go wrong, it’s not all WordPress’s fault. On the other hand, these kinds of things appear to be easy to forget for someone once they into the WordPress world. It’s similar to earlier days of UNIX – “RTFM”. That is basically just an excuse to avoid doing the work to make things simple, intuitive, easy to use, and robust.

    • Ferdinand (1 comments.) says:

      Blog wrote:
      I knew when I did this that there would be versioning problems, but I needed to do something, so that is what I did.
      —-

      So you were fully aware of the fact that you certainly would have problems with your WP installation in the future. And when the problems finally arrived you got angry at WP and abandoned the project. Your decision and your response just proves that you are not very mature in regard to in making responsible decisions.

    • Jeff Chandler (171 comments.) says:

      No thanks. I quit. I don’t want anything to do with WordPress now. I’ll probably look for a system that is not subject to this problem.

      To be honest, good luck and if you find one, let me know because the last time I checked, virtually all of the open source CMS solutions out there have the same issues.

      Now, considering when you created the theme that edited the source files, there may not have been the robust APIs or hooks that are now available. However, you alone made the decision to edit the core files of WordPress which is a huge no-no. You admitted that it would cause versioning problems and that is exactly what happened. The tone of your comments makes it seem like despite your hacking of the core code, WordPress should be able to handle an upgrade with no problem. A bit impossible when all of the core files are replaced upon upgrade. The bottom line is, you achieved custom functionality in the wrong way.

      That this can happen is obvious, but the next time someone tells you about the wonderful customizability of WordPress, take it with a mine of salt.

      This pretty much blows that statement out of the water:

      http://wordpress.org/showcase/flavor/wordpressorg/

      • Blob says:

        The fact that there are a lot of custom themes proves nothing. Customization is not free. The big cost is time. I knew this when I set up my web site years ago. I was willing to spend a significant amount of time to get customization. I am willing to press an version update button on an ongoing basis. I am not willing to spend days or weeks to upgrade every few years, without warning.

        I spent a large amount of time attempting to avoid modifying the source, and could find no way to do it. I looked at a large number of existing themes, asked questions in the WordPress forums, etc. Eventually I concluded that the only way to get what I wanted was to modify the source. What I wanted wasn’t particularly extravagant.

        I already mentioned that I have some appreciation for the amount of work done on WordPress. But how would you feel if, after trusting software enough to invest a lot of time in depending on it, this happened to you, and you see comments like “People should be more grateful” and “Are you responsible enough to run WordPress?” What could I have done differently, and how could I have discovered this?

        Keep in mind, too, that at the time I was investigating CMSes, the usual response when WordPress didn’t do something
        a new user wants was, “Hey, you can always modify the source! Isn’t WordPress great?” It is this response, and complaints about lack of gratefulness, that I find most annoying.

    • John Myrstad (7 comments.) says:

      I have a custom theme that my entire web site is based around. Getting this set up involved modifications to the WordPress source.

      What you have done is to fork WordPress, and youre now the lead developer of your own software project :/

      • Blob says:

        Yes. It’s what happens when anyone modifies source, open or not, and can’t get their changes integrated back into the main tree.

        • John Myrstad (7 comments.) says:

          My point is that you cant blame WordPress. You dont even run WordPress, you run your own custom publishing system.

          I`m a bit curious about what kind of changes you had to do which involves editing core WP rather than using a functions.php hack in your theme.

  24. | Balu | says:

    Speaking of upgrading I do it from my cpanel. The auto-update never works for me. So I just go to cpanel> Fantastico De Luxe> and latest updates are listed there. It’s the easiest way to update and safest too. Why? Cpanel creates a backup automatically saves me from doing the dirty work =P

  25. John (5 comments.) says:

    Yes, I’ve publicly admitted that I’m guilty of temporary lapses. With multiple blogs there’s always an incentive to procrastinate, and if you decide to go out of town on vacation during the wrong week you can get stuck in a bad spot when you come home.

    But something that should be emphasized, is that most other website software doesn’t make it so easy to update versions. WordPress really stands out in ease of use, especially on the topic of new version upgrades. Have you ever tried upgrading a Joomla install or a SMF board with any kind of addons or customizations? Now imagine doing a five or a dozen ASAP due to a security fear – yeah right.

  26. Kevin Paquet (1 comments.) says:

    I think I do a pretty good job maintaining my WordPress blogs and can say that I’m responsible enough to handle them. The first thing I do in the morning when logging into the dashboard of my main blog is to check out updates from WordPress related sites and the WordPress.Org blog through the RSS’es in the dashboard, it’s the least thing that everyone can do really, to keep themselves secure; and of course, upgrading is very important, even if it really can hurt at times when plugins get incompatible.

    I immediately Plurk (I hate twitter) about it and recommend all my friends to upgrade, and eventually help some upgrade for those who are scared about upgrading, which is the main reason why many don’t want to upgrade because of incompatibilities, but just like stressed out multiple times already, it’s better to take some time upgrading than taking some MORE time fixing the culprit when the damage is done.

  27. Rod says:

    It is an individuals responsibility to keep your software up to date. period.

  28. Hal (2 comments.) says:

    All software updates are are subject to having bugs. Sometimes this can take down your system, or at least destroy a part of it (your theme for example). Sorry, I do not update until a few days have passed. I want to see what the update did to other sites. In fact I have a test site for this as well as most other things that I want to experiment with.

    My personal method for updating everything from my OS to all software is, never be the first and never be the last.

  29. Patrick (11 comments.) says:

    One of the users suggested that WordPress should send an email telling users that their SPECIFIC version needs updating.

    Does WordPress itself have ANY IDEA what individual version every single website is actually running? Do you even have to register your website when you download a single copy of the software, or do you just download it and install? I think it’s the latter, which means that to accomplish what that user is calling for, there’ll have to be a complicated registration process for every blog using WordPress, including those already in existence, and then every time there’s an upgrade available, some program is going to have to email every single user of WordPress to let them know a newer version is out there.

    Talk about slowing things down!

    I haven’t seen a single instance in which an upgrade was released that it wasn’t mentioned on THIS blog…and on my admin page, it displays links to this blog automatically. (I swear I didn’t do anything to make that happen…I wouldn’t even know how to.) And I’ve never known an instance of an upgrade being ready to be downloaded that it wasn’t mentioned across the top of the admin page.

    Maybe — just maybe — having a website powered by anything other than some ultimate, hacker-proof software that you personally designed requires too much initiative. But then most of us lock our doors when we leave home to go to work…so why is such a relatively simple precaution for your website too much trouble? I don’t get that.

    • Brian Carnell (15 comments.) says:

      “One of the users suggested that WordPress should send an email telling users that their SPECIFIC version needs updating.”

      Where was this suggestion made? All WordPress needs to do is build in e-mail notification to admins in the software itself since it is fairly difficult to get notification of upgrades if you do not log into the admin side when upgrades are pushed out (I know, I know … these irresponsible people who don’t log into the admin side at least 5 times a day shouldn’t be running WordPress…)

      WordPress already checks to see if there’s an upgrade. All it needs to do is go one step further and e-mail the admin.

      I know, I know…it’s just crazy talk. Much better to whine about clueless users and folks who need something as dumbed down as an auto-upgrad process in the first place. Responsible users run SVN to keep WordPress updated.

  30. Peter Green (4 comments.) says:

    This whole thread is getting silly!
    What is there to debate?
    Someone writes and keeps up to date an excellent C.M.S. and gives, yes GIVES it away!
    Then people whine and complain about how difficult it is to update, stunning ungratefulness!
    Maybe the WordPress system should wipe peoples backsides for them as well!
    If you don’t know how to use W.P. get someone that does, to do it it for you or don’t blog at all.
    Sheesh!
    P.G.

  31. Brian Carnell (15 comments.) says:

    I just want to add one thing here. Why did WordPress add the one-click upgrade feature? I’m assuming it was exactly for instances like this — so as soon as I logged in to my WordPress install and saw 2.8.3 was available, I just clicked a link and boom it upgraded itself. Awesome. There were already plugins out there that tried to do this, but WordPress did everyone a favor by making the upgrade process as simple as possible.

    The recent worm, however, reveals a problem in the gap between when a potential zero day flaw is discovered and when an individual realizes there is a zero day flaw out there. Not everyone logs into their WP admin area every day. Not everyone gets WP from WordPress.org (especially with the auto-upgrades since there’s never a reason to go back after the initial install).

    WordPress should build in the option to have local WordPress installs notify admins via email when there is an update available. Yes, there’s a plugin that will do this, but it would be helpful for the devs to take the next step and integrate that functionality into WP.

    It’s not enough to wave your arms and blame users with a “if you want to run WP you need to be more responsible.” That’s just counterproductive and insulting.

    • Peter Green (4 comments.) says:

      “It’s not enough to wave your arms and blame users with a “if you want to run WP you need to be more responsible.” That’s just counterproductive and insulting.”

      Why is it counter productive to put irresponsible people off using something they are not capable of using?
      The fact that it’s free and developed by caring sharing people makes it very insulting to them when they then get complaints about something they are freely sharing!
      I thing people should be a whole lot more grateful.
      P.G.

    • Patrick (11 comments.) says:

      “WordPress should build in the option to have local WordPress installs notify admins via email when there is an update available. Yes, there’s a plugin that will do this, but it would be helpful for the devs to take the next step and integrate that functionality into WP.”

      I see your point when we’re talking about people who don’t log on as frequently or people who are new and somehow under the always-misguided delusion that ANY piece of software is completely impenetrable.

      But at the same time, I don’t get the frustration: I’m assuming that since you’re concerned about the potential gap between a security patch’s introduction and your finding out about it, you must be making use of the plugin.

      So in your case, you’re not affected by WordPress deciding to add the functionality either way, nor are you the kind of person being referred to as “irresponsible.” So why would YOU find the reference insulting?

  32. mark k. (3 comments.) says:

    Jeff, There is one major thing that wordpress is doing wrong and until it is fixed there is no point talking about user responsibility – wordpress does not offer minor security releases for old releases.

    I can see that it may become quite a nightmare when the official goal is a new release every three months but it is some thing that has to be done, if you can not promise that the API (front end and admin) will remain stable between releases.

    Microsoft supports its products for years, Mozilla supports old releases of for 6 months, Ubuntu has special releases which they promise to support 3 years. The wordpress community has to find its own support strategy.

    If users of your software are doing something foolish, instead of blaming them you should ask yourself how can you improve your product in a way that will eliminate the (perceived) need to behave foolishly. One click upgrade was a great step forward but as this discussion shows it is simply not enough.

    • Paul OFlaherty (5 comments.) says:

      WordPress acts in exactly the same was as Microsoft does as support for branches can only be maintained for a set time. This is a community project after all and they have up until recently been upgrading and supporting the old branch. This has now been discontinued I believe, but not without months of warning being given to people that it would happen.

      This is much the same way that Microsoft no longer supports IE 5 and will drop support for IE 6.

      If you are looking for a list of the available upgrades that have been released for either branch you can find and download them all here:

      http://wordpress.org/download/release-archive/

      One more thing, on a personal note, what you are asking for here is for WordPress devs to use more time releasing minor security patches, which would have to be tested and developed against all old releases rather than working on developing and securing the current release, just because you’re to lazy or unwilling to update? Rather selfish don’t you think?

      Bear in mind that there have been 56 WordPress releases and 72 Beta and RC releases, making a total of 128 releases to date that would all require patch releases and testing against every patch under your proposal.

  33. John Myrstad (7 comments.) says:

    FireFox users which by some strange reason cant keep them self updated about WP upgrades should consider installing the WP helper FireFox plugin. It notifies you about new WP releases in FireFox.

  34. Beth Nicol (2 comments.) says:

    I have been guilty of not being “johnny on the spot” with upgrades… not proud of it. I paid for being a couple of days late. I use the svn sw or svn up to maintain about 15 wordpress installs. Not so difficult.

    But, I have to admit to a sigh of relief when I see that 2.8.4 finally, finally accurately reflects the current version in the admin dashboard of a non-english installation. For so long, it was quite difficult to insure that something wasn’t skipped because in a spanish or french or polish dashboard you would see something like “Version 2.8 is available. Update now!” – but when you checked the version, you were actually running 2.8 -

  35. Denzel Chia (7 comments.) says:

    After reading these interesting comments, I too have some personal views to share, and this is my answer to responsibility in running WordPress.

    I keep a localhost copy of my entire site setup in my computer and always upgrade my localhost copy first, before upgrading my web site. This will let you know whether the upgrade breaks plugins or themes, or anything else. If anything breaks, you can start looking for alternatives before upgrading your live web site. Or evaluate whether you can get by without the broken theme or plugin.

    Chances are they would not break on a security upgrade, they may only break on a version upgrade.

    If you know how to install a copy of WordPress on your hosting, install it locally should not be a problem, as there are good articles out there.

    Secondly, I always keep a copy of any media uploaded to live site within my computer. And backup a xml copy of my data through export option.

    Lastly, I always make it a point to read the feed from WordPress so as to get notify of any security upgrades. Following core programmers of WordPress on twitter helps too, as they will twit about the upgrades.

    That’s my part on using WordPress responsibly.

    As for upgrading old WordPress Version, this is what I had done for others. Backup data and media files. Install the old version of wordpress on localhost with the backup data, ftp the theme and plugins from live site into localhost. Install the wonderful WordPress Automatic Upgrade Plugin on localhost, follow the instructions and upgrade! You will see the result on your localhost, as to whether you site will die or live..

    If it is alive, do that on your live site.
    If it dies, try reviving it or maybe it is time to consider employing someone to do it for you?

    Pardon, my lengthy comment.

    The most important thing is I treat my WordPress installations as my adopted kid. I am responsible for my kid. And if you adopted multiple kids, you must give them equal responsibility and care too, no matter how late you work into the night!

  36. Brian Carnell (15 comments.) says:

    BTW, as far as I can tell, the “join our notification list” at WordPress.org simply doesn’t work. Trying repeatedly to subscribe to this list from the web interface for the last 48 hours I have yet to receive a promised password or anything from the list.

    Again, WordPress makes it far too difficult for average users to obtain notification of new upgrades when they are not logging into the admin interface for an extended period of time.

  37. Michael (2 comments.) says:

    Some people responding here scare me. I am not a coder. I have avoided code since HTML 1.0. I am a visual person not a code person and I totally cannot relate the to the person quoted as saying “code is art”. Not my point though.

    The fact of the matter is that I haven’t had any problems in WP. In fact I have built 3 sites with WP and 2 of them I built from scratch using Atristeer. All have been upgraded without issue.

    Someone above stated that they missed the update until their wife saw it on the site and they never got an E-mail notification. Yeah, so your E-mail notification failed not WP. This goes back to being a responsible site admin. It is a part of doing the job you chose. Take the responsibility and maintain your site properly; make a commitment o check your site daily. It takes all of 30 seconds.

    As for those that use plugins for crucial parts of their sites, well thta is a price you pay for being on the cutting edge. A plugin pushes the limits of a technology. They are needed for the technology to grow but as I said, there is a price to pay for them. You have to be willing to pay that price.

    My final point is to remind people to back up before you install an update! that way if you do lose a critical functionality you are prepared. Additionally if you backup regularly, you can always get control of your site back from your service provider and just restore the backup. Yes you will lose a few posts perhaps but it is better than losing your site completely.

    • Brian Carnell (15 comments.) says:

      Michael wrote:

      “Someone above stated that they missed the update until their wife saw it on the site and they never got an E-mail notification. Yeah, so your E-mail notification failed not WP. This goes back to being a responsible site admin. It is a part of doing the job you chose. Take the responsibility and maintain your site properly; make a commitment o check your site daily. It takes all of 30 seconds.”

      Typical clueless comment. I never said I didn’t get an e-mail notification. I said WordPress needs to build in e-mail notification. The e-mail notification they have on their website simply fails, and they don’t build e-mail notification into WordPress itself.

      They need to.

      I need to login every day. So unless I’m willing to committ to never taking a vacation or getting sick or having my Internet connection go down, I should just go with some other CMS? Seriously?

      • Michael (2 comments.) says:

        What you said and I quote, “but completely missed any notification about the worm until my wife happened to see it on Twitter.” so you did say you missed it. My apologies for the missing it via E-mail.

        If you take vacation, have a friend monitor your site if your out of communication, lock the site for a week or two. Take responsibility and stop blaming WP.

        BTW – WP is not a CMS. It is a blogging software package that has some CMS functionality. It is not billed as such at least no where that I have seen. Then again, I may have missed it.

        • Brian Carnell (15 comments.) says:

          First, WP is most definitely a CMS by any reasonable definition of CMS.

          Regardless,

          “If you take vacation, have a friend monitor your site if your out of communication, lock the site for a week or two. Take responsibility and stop blaming WP.”

          Your approach is just as irresponsible as the “I’m not upgrading because it might break plugin X” folks. You don’t just tell people “shut down if you want to go on vacation”, you create monitoring tools so people can quickly realize when they need to take affirmative action.

          If the choice is “don’t run WordPress” vs. “send an e-mail out to admins when there’s an upgrade available” only a moron troll would choose the former.

          Asking a friend to monitor is the dumbest thing I’ve ever heard. Right. Hey, while I’m at it, I’ll shut down my network monitoring utility and just ask a friend to check my network occasionally to make sure the servers are still up.

          Fanboi nonsense like this really does more harm than good as it tells people rather than give feedback about how the system should be improved they should just STFU and run something else. Stupid stupid stupid.

          • John Myrstad (7 comments.) says:

            @Brian Carnell.

            If you feel so strongly about notification systems and improvement of WordPress head over to WP-hackers http://codex.wordpress.org/Mailing_Lists#Hackers, and make your arguments, and If you really want to see it head over to trac and make a ticket.

          • Paul OFlaherty (5 comments.) says:

            Seriously dude, as I scroll down through this comment list you’re starting to sound like a troll.

            The point is simple, there are notification methods made available and if they’re not enough for you WordPress has a plugin structure which gives you other options.

            That is why the plug structure exists, so that everything doesn’t have to be provided by core functionality. Now if all that isn’t enough for you and you still can’t handle maintaining a WordPress site then go find another CMS and quit complaining.

            Move to another system, one of these days you’ll have to upgrade them to. Either for security reasons, new releases or to deal with the ever marching progression of PHP.

            Using software always comes with an upgrade cycle and there is no way of avoiding it, unless you bury your head in the sand, and then you will reap the consequences.

          • Babs (37 comments.) says:

            Okay, I gotta ask a question.

            You say that checking your WP site on a daily basis would be a hassle if, say, you went on vacation or got sick.

            Well, if WP sent out emails regarding upgrades, how would you get those if you went on vacation or were sick? And how would you upgrade any quicker — unless you had access to a computer (and thus would still be able to regularly check up on your site)?

            Okay, so that’s 2 questions.

            My point is, don’t bash the fanboi if you’re not making any sense yourself.

  38. iHacks (2 comments.) says:

    Upgrade should be top priority to all bloggers. This sentence “upgrading was not an option for them” Due to these type of people hackers get fame. If it is zero day exploits then we can say it is our bad luck. When there is update available not upgrading is dumb :p

  39. dave (1 comments.) says:

    Upgraded one of my lesser blogs and lost all the banners, top and bottom. I’m afraid to upgrade my other blogs for this reason. Is there a better way to code (obviously there is) the banners in? Admitedly, I have no formal education in this matter. I’d just hate to go in and hand input code for numerous ads into 100′s of sites once thay are upgraded. Gota do what I gota do I guess. Any input will be welcome.

  40. Paul OFlaherty (5 comments.) says:

    Jeff, I just wanted to say thanks for a wonderful post and bringing to light the fact that as much as people don’t like it they have to take responsibility and an active interest in the platforms that they use.

    Most people are too busy trying to protect users from their own ignorance rather than accepting that the users also have to meet the developers half way and educate themselves.

  41. SuburbanOblivion (1 comments.) says:

    I am absolutely dumbfounded at the number of people willing to blame WordPress for their own neglect or ineptitude.

    If you aren’t willing to take the time to learn how WordPress works, why are you running it? Would you buy a car and assume that because you know how to drive, it excuses you from figuring out how to maintain it with things like oil and transmission fluid? “I didn’t know” is a perfectly acceptable reason for not learning the system you are running, so long as you don’t expect sympathy when you had all the tools you needed at your disposal to learn.

    Go back and play on Blogger or Livejournal if you can’t be bothered to take the minute or less per site it takes to click on the automatic upgrade link. Lack of time is no excuse.

    You changed the WordPress core files to make your site look pretty? Whoever said you just became the admin for your own software project hit the nail on the head. You created that monster, now take care of it.

    The whole argument that WordPress doesn’t let you know? That red text at the top of the dashboard when there is a new release stands out like a blinking neon sign, and that’s just one of the notifications inside the dashboard. Subscribing to any of the hundreds of WordPress information blogs out there would be helpful, or as pointed out you could use the Firefox plugin that notifies you. This is in addition to subscribing to the WordPress Twitter account and having those notifications sent to you via SMS. Short of having them come to your house and drag you to the computer, what else do you need?

    It’s ridiculous to me how people are looking for any reason in the world to shirk off responsibility for maintaining the sites they chose to build, especially when the work involved is so minimal.

    • Jessi says:

      Well said. It’s really annoying when people can’t accept their own faults.

  42. Big Dan (2 comments.) says:

    Thanks Jeff, I couldn’t agree more. WordPress is now hands down the easiest ‘web app’ to upgrade. As someone who works with many other php powered web apps most are still stuck in the disable addons (plugins) download package, upload and over write existing files, and re-eable plugins one by one to see what works/what don’t.

    There is just no excuse not to upgrade any web app especially WP which as made stupid-easy.

    • Sara @DailyShite (1 comments.) says:

      “There is just no excuse not to upgrade any web app especially WP which as made stupid-easy.”

      Amen.

  43. Jeff Awesome (3 comments.) says:

    Whats a wordpress? (sorry that was bad…)

    People are generally just a bit thick imo, I continuously get amazed at how bad some people are at things, common sense seems to be lacking severely these days. And this is coming from me, and I’m not exactly intelligent!

  44. Hicham Maged (1 comments.) says:

    Indeed Jeff! Any user/webmaster can neither blam developers of ‘Open Source’ programs nor ‘Open Source’ programs themselves for any security problem if he/she do not take care of the software running by upgrading for the latest version as soon as it is available.

  45. Jim says:

    Ummm. While I agree with the author’s post, there are some simple things that WordPress really needs to do.

    First and foremost, they need to allow users their own CSS (is mycss the most essential plug-in?) and Function files without over-riding original theme files. This is the golden rule of source code; never touch it. WordPress by default forces it.

    I realize child themes are becoming popular, but your basic user just won’t do it. Plus, you change the theme, you lose your changes. Consumers buy or use a theme so they DON’T HAVE TO THINK ABOUT THIS STUFF. Then they end up playing with the code.

    Some theme makers are now making it much easier to get into their themes (Justin Tadlock rules) but his Hooks idea should really be in the WordPress core. Adding widget and other functionality should be as easy as dragging and dropping into the header, body, loop, footer, sidebars, etc., replacing existing WordPress functionality (say you hate their menu, which sucks), or adding to it. That’s modular programming, and that’s what add-ons are all about. No one has to worry about source to add functionality to Word (By the way, why isn’t a compressor/compiler in the WordPress core by now?).

    Users WILL ALWAYS take the easy route. If you don’t want people to worry about upgrading WordPress, then make it worry free. It’s only good programming.

    Second, an email right in WordPress about updates would be good. Like an earlier commenter said, not everyone visits their site every day.

  46. StarKey11 (1 comments.) says:

    This attack continues to target primarily dormant and rarely updated WordPress blogs. A worm exploited a WordPress vulnerability and created hidden admin accounts: http://www.enigmasoftware.com/.....-accounts/ People who set up these blogs with good intentions and either lose interest or just stop logging in are the users who are most at risk of WordPress attacks.



Trackbacks/Pingbacks

  1. [...] Are You Responsible Enough To Run WordPress? (tags: wordpress security tools) [...]

  2. [...] and dedicate instantly the time to perform an upgrade. The developers on the other hand, claim that it is the user’s responsibility to keep their wordpress updated whenever it is [...]

  3. [...] That’s just my two cents. If you want to read more on this issue, I suggest checking out a great article by Jeff Chandler entitled “Are You Responsible Enough To Run WordPress?” [...]

  4. [...] WebBlogToolsCollection.com asks: “Are you responsible enough to run WordPress?” [...]

  5. [...] Just came across this excellent post by Jeff Chandler: “Are You Responsible Enough To Run WordPress?“ [...]

  6. [...] So now tell me Who is responsible? Tweet This!Share this on FacebookShare this on del.icio.usDigg this!Stumble upon something good? Share it on StumbleUponPost this to MySpaceBuzz up!Post this on DiigoShare this on RedditShare this on LinkedinShare this on TechnoratiShare this on FriendFeedAdd this to Google BookmarksSubscribe to the comments for this post?AKPC_IDS += "113,";Popularity: unranked [?] [...]

  7. [...] Tools Collection has a great post on the responsibility of running WordPress, highlighting a question many Website owners deal with: who is responsible for securing my site? [...]

  8. [...] good. People usually put plugin compatibility before blog security, and that’s really not a responsible thing to do. Having little to no support for outdated versions of WordPress is one of the ways to [...]

  9. [...] the recent security scare that targeted older versions of WordPress, blame is being thrown around left and right, from everyone to users to the WordPress developers. While staying updated with the [...]

  10. [...] Are You Responsible Enough To Run WordPress? – [...]

  11. [...] Are you responsible enough to run WordPress? [...]

Obviously Powered by WordPress. © 2003-2013

page counter
css.php