[wp-hackers] wp security and upgrading

Otto otto at ottodestruct.com
Mon Jun 29 17:21:33 GMT 2009

Upgrades are always recommended, but I have detected a sense of
urgency lately that I would not say is there. My advice is:

1. Upgrades should always be performed, but if a site is critical to
operations, then a proper test should be undertaken first. Set up a
similar test site with WordPress and all the plugins/theme you're
using, then upgrade it and test to make sure everything works first.
Don't upgrade live without testing unless you're comfortable fixing
issues in real time. and really, they should already have a decent
test site set up (perhaps in a subdirectory), so that they can test
changes before implementing them live.

2. If a site is critical and there's no immediate security threat,
wait a week or two. Plugins frequently don't get updated before a
release, wait until the plugins have been checked first, upgrade them,
then upgrade the site.

3. Advice your clients to read the changelogs, or have somebody
summarize them for them before an upgrade. This way, they know what
changes to expect.


On Mon, Jun 29, 2009 at 7:49 AM, Jake
McMurchie<jake.mcmurchie at googlemail.com> wrote:
> Hello wp-hackers. I'm not sure if this list is the right place for this
> question so apologies if this is off-topic (and will be grateful for
> appropriate redirection)...
> In the past I have always advised clients to upgrade Wordpress on the basis
> that upgrades usually include fixes for security vulnerabilities and this
> will counter-balance any work required to upgrade themes, plugins and other
> (frequently bespoke) customisations. However, I have a sense that this
> balance has shifted - no security vulnerabilities have been made public with
> 2.7/2.7.1 (that I'm aware of) and 2.8 has not been advertised as a required
> upgrade for security purposes. If this is correct then full credit and
> congratulations to the WP team :-)
> Given that there's a time/cost implication for upgrading, that the new
> features of a new version may not be required, and that additional work may
> be required to adapt customisations to changes in the codebase and database,
> is it reasonable to say that upgrading (at least from 2.7/2.7.1) is down to
> client preferences, especially given the many other steps one could take to
> improve security besides keeping the WP version up to date?
> Many thanks in advance.
> Jake
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list