Unfortunately, the blame game has come back in full force with those affected generally blaming WordPress, and those not affected blaming users who failed to upgrade in a timely fashion. The bottom line is, the issues that lead to this worm attacking older versions of WordPress was fixed in WordPress 2.8.4 which was released on August 12th. When it comes to a security release of WordPress, I take it seriously and don’t mess around with upgrading my site. I think Matt Mullenweg puts it best in his article which explains how to keep WordPress secure.

A stitch in time saves nine. Upgrading is a known quantity of work, and one that the WordPress community has tried its darndest to make as easy as possible with one-click upgrades. Fixing a hacked blog, on the other hand, is quite hard. Upgrading is taking your vitamins; fixing a hack is open heart surgery. (This is true of cost, as well.)

While WordPress has lowered the bar of entry to publishing content on the web, one constant remains, the responsibility of running your own website. This responsibility includes making sure that your webhost is doing its job, that the various layers and technologies which make WordPress tick are fairly up to date and locked down. These layers include but are not limited to PHP, MySQL, folder-file permissions, etc. Dave Coveney also brings up the point that security is more than just WordPress.

Even if you have the very latest version of everything there are, out there, what are known as zero day exploits. These are vulnerabilities which are kept secret by the hackers who have found them. They cease to be secret if they become widely used in a large scale attack. Like the current one against WordPress.

You can’t just upload WordPress, perform a bunch of customizations, install 50 plugins, 50 themes, and think everything will be fine from that day forward. WordPress along with the associated technologies are always evolving. That means your site must evolve as well.

One of the commonalities between most of the comments I’ve read regarding the worm attack consisted of upgrades breaking themes or plugins. Based on experience, I have never experienced a problem with a plugin or a theme completely breaking my site thanks to an upgrade. Sure, I’ve had times where some of the theme or plugin functionality broke because of a deprecated function or changed behaviour, but that’s about it. Generally if an upgrade breaks a site, it’s because of a poorly coded plugin or theme. I can’t believe this attitude that functionality trumps security. There are hundreds of plugins within the repository, if you’re afraid of one breaking or feel that it is not compatible with the upgrade, deactivate it until an update for it is available or use a replacement. Missing a small portion of functionality is better than having your entire site compromised.

But I Didn’t Know

This is by far the lamest excuse I’ve ever heard. When a new version of WordPress is released, here are the following ways you can find out.

Log into your dashboard and look for a colored message in the top center of your screen which says something like WordPress X.X.X is available! Please Update Now. The link will take you to the one click auto ugprader.

Activate the WordPress Development Blog dashboard widget. This will show you the latest posts from the WordPress development blog. If there is a new update, there will be a new post saying so.

In the bottom right corner of the administration panel, there will be the text Get X.X.X. This is a link to the one click upgrader letting you know you’re running an out of date version.

Follow the WordPress blog account on Twitter. @wordpress this account is managed by the WordPress team and usually will contain links to blog posts regarding new releases.

Follow blogs that report on the happenings within the community. The WordPress community does a great job spreading the word when a new version is released.

WordPress does maintain an announcement mailing list that you can subscribe to by checking a box in your WordPress forum profile but in my opinion, they have done a terrible job utilizing that list.

The Decisions You Make Today Shape Your Tomorrow

One question you should ask yourself before installing any theme or plugin is whether or not it will prevent you from upgrading. The same holds true for custom development work. A theme or plugin that is custom developed which does things in such a way that makes upgrading a pain means they developed it wrong. For starters, no one should ever hack any of the core files. Secondly, developers should use hooks and existing APIs to achieve functionality. If the functionality does not exist, they should create a ticket in Trac and request that a particular hook or API be added to core so core edits do not take place.

WordPress Can’t Do It All

WordPress has made it incredibly simple to upgrade with the addition of the one click upgrader yet so many still don’t seem to upgrade in a timely fashion. I realize the auto upgrader does not work for everyone but there are alternatives. It’s getting to the point where it seems as though the only way to curb irresponsibility is automation of upgrades. However, I believe this would create more problems than solve. Since automation is not likely to occur, the responsibility falls back on you, the individual. Take that responsibility seriously.