Older WordPress Versions Are Insecure

Image representing WordPress as depicted in Cr...
Image via CrunchBase

I have said this many times before: UPGRADE WORDPRESS WHEN PROMPTED.  This one is in the style of “beating you about the head and body and then caning you across the eyeballs“.  Why?  Because a hack has been discovered that makes your older, more stable, more comfortable WordPress.org install very insecure and really you may as well make the password Pa55w0rd – because your older version can and will be pwned.

Now that I have your attention….  Go to Lorelle‘s site, Robert Scoble‘s site and the WordPress Dev Blog to see details of this new exploit.  If you have version 2.8.4 (like what I do), you are more secure.  As well as upgrading, remove the default admin account and create a new one (reverse order, is good on that one), check for phantom admin accounts and make sure you are using a strong password.  There are other things to do, but that will keep you going for now.

I regularly get comments such as “if I upgrade it breaks all my plugins”, “my theme doesn’t work if I upgrade now” and so on.  You now get to make a value judgment: if you don’t upgrade you could end up no longer owning your blog vs giving up or changing a few plugins or a theme.  Which of these is the worst case scenario for you?

Upgrade now. You know it makes sense.

Reblog this post [with Zemanta]

Posted on 7 September, 2009, in Blogging/WordPress, Computer Stuff, Idiot's Journey, Open Source and tagged , , , , , , , , , , , . Bookmark the permalink. 29 Comments.

  1. Here here! Keep on it and DROP THOSE SHITTY PLUGINS if they stop working – they're likely insecure in their design, too. I've been thinking about how to export WordPress back to Blogger, since they allow you to use your domain. I'd save on hosting costs that way, and I'd not get any more messages from the server admin asking me to fix mo script (referring to a page on the blog) when I get a bit of traffic. 😉

    • Anyone who is more concerned about a plugin than their own site should just stop running the site. If a plugin author stops updating their software, find something similar that is updated.

      This post has been brought to you by The Bleedin' Obvious.

  2. Also another way to secure your site with 3rd party software like WordPress is to disable users from registering their own account. Disable it, block it and it removes one of the known steps of those gaining access to something they shouldn’t have access to.

    • It does, but in this case that won't work. Really, the only way to stay secure is to follow the steps and keep updated. That way older exploits won't work and you stay slightly ahead of newer ones.

      • I agree. WordPress has a lot of vulnerabilities that is built in by design. I don't see older versions as secure. I am sure that a full code rewrite will be necessary at some point rather than simply patching problems as they arise.

        • Yeah, that’s why they ended support for 2.0.x branch because it would require too much patching since the newer versions are rewritten more than likely.

        • You think that way because you understand the value behind the vulnerabilities and the newer versions. Too many people complain that [plugin 2.1] only works on earlier versions of WP, or that they made too many changes to upgrade, may as well just remove all passwords (maybe an exaggeration). Do the cost/benefit analysis: is it more of a hardship to lose a plugin or tweak or more of a hardship to lose your entire site and data. And then act appropriately.

      • Yeah, I just wanted to point it out. Most people allow anyone to register. By not allowing someone or something an account just eliminates that step in gaining unauthorized access to a system.

        • This is true and, as you know, security should never be a single step but an evolving process. And these chats help us to educate others 🙂

  3. Thanks for the info! I've just been thinking about the renewal of my WordPress version!

  4. I always renew my wordpress version , now i am wordpress 2.4

  5. Thanks for the advice, I have to forward it to my boss, we own quite a few wp blogs going really old.

  6. Good words of advise. I must admit that I usually trail upgrading by a month since I always want to be sure the new WP is bug free. But I need to remember that there's a reason a new version is out. The old one is FLAWED!

    • Remember, the "old one" was once touted as the most secure version of WP (for that time being) so you really are safer only in a relative point of view.

      Is the new version "bug free" software? I think you'll have to wait a long, long time until you come across such a version. If or when the next vulnerability is discovered, it will become "flawed" again.

  7. I always upgrade as soon as there is an update. I do it first on one of my less important or test blog, and if that works fine I upgrade the rest. I've put too much work into those blogs to take any chances, especially now when upgrading is so easy.

  8. Hi, I am running a wordpress blog (latest version)..someone commented …*typo: insecure..what does this means?? What do you think?

  9. ionce runned a blog on office design on word press. It worked fine, i moved to a proper web platform now because we needed a proper website. But i honestly think that word press is more than OK for the small and medium company.

    • I'm curious what you used as a "proper web platform". whatever you're using now, it looks good. You could've done it with WordPress, as well – perhaps with a few choice plugins.

  10. You should make sure to always keep your WP up to date. Older platforms are insecure. Bloggers should also remove the code that lets everyone know which version they are running as well. This makes it easier for hackers to find their way in.

    • Knowing the version doesn't make you more or less insecure. If the hole exists because you didn't update, then the hidden version number won't matter. This article on Wikipedia explains why security through obscurity is a bad idea.

  11. but how do i go about updating to newer version ?? because whenever i open my wordpress site, i get message saying , newer version is available , please contact your admin

  12. WP as long as it is opensource which makes it so amazing will always be prone to attack-as they say if it can be built, it can be unbuilt. Keeping on-top of the upgrades and in touch with the versions and vulnerabilities is essential.

  13. I've seen some really ancient WordPress sites still around; they haven't been updated in 2 years or more. Some sites just cannot update because they run on custom themes and upgrading would mean they have to go and get a new theme.

  14. @MrCorey Is it that much insecure? I was thinking of changing from blogger to word press because I was thinking that I will get more traffic if I have .com domain. But now after reading your comment I have think twice before doing it.
    My recent post really funny jokes

  1. Pingback: Posts about plugins as of September 7, 2009 | All About WordPress

%d bloggers like this: