[wp-hackers] wp security and upgrading

Lynne Pope lynne.pope at gmail.com
Mon Jun 29 15:59:50 GMT 2009


2009/6/30 Jake McMurchie <jake.mcmurchie at googlemail.com>

> ...... no security vulnerabilities have been made public with
> 2.7/2.7.1 (that I'm aware of) and 2.8 has not been advertised as a required
> upgrade for security purposes.


While there hasn't been anything (at least in public) about vulnerabilities,
2.8 includes security improvements, such as these...
 - Refactor filters to avoid potential XSS attacks
 - Deprecate wp_specialchars() in favor of esc_html(). Encode quotes for
esc_html() as in esc_attr(), to improve plugin
security<http://codex.wordpress.org/Data_Validation>(ref. Development
Updates <http://wpdevel.wordpress.com/tag/escaping/>)

(From: http://codex.wordpress.org/Version_2.8)

So, from the point of enhanced security its a worthwhile upgrade.
Performance is better too, although depending on the site this may not be
very noticeable to clients.

I have the same dilemma and have people still on 2.6.5, some of whom are
sticking with that. If it helps, this is the criteria I use to decide
whether to recommend an upgrade.

1. If the server is secure and plugins have been checked for security, and
the user does not want threaded comments - leave as is.
2. If the user adds their own plugins - recommend upgrade.
3. If the site is using plugins that have not yet been updated for 2.8, then
wait.

Lynne


More information about the wp-hackers mailing list