[wp-hackers] wp security and upgrading
Lynne Pope
lynne.pope at gmail.com
Mon Jun 29 15:59:50 GMT 2009
2009/6/30 Jake McMurchie <jake.mcmurchie at googlemail.com>
> ...... no security vulnerabilities have been made public with
> 2.7/2.7.1 (that I'm aware of) and 2.8 has not been advertised as a required
> upgrade for security purposes.
While there hasn't been anything (at least in public) about vulnerabilities,
2.8 includes security improvements, such as these...
- Refactor filters to avoid potential XSS attacks
- Deprecate wp_specialchars() in favor of esc_html(). Encode quotes for
esc_html() as in esc_attr(), to improve plugin
security<http://codex.wordpress.org/Data_Validation>(ref. Development
Updates <http://wpdevel.wordpress.com/tag/escaping/>)
(From: http://codex.wordpress.org/Version_2.8)
So, from the point of enhanced security its a worthwhile upgrade.
Performance is better too, although depending on the site this may not be
very noticeable to clients.
I have the same dilemma and have people still on 2.6.5, some of whom are
sticking with that. If it helps, this is the criteria I use to decide
whether to recommend an upgrade.
1. If the server is secure and plugins have been checked for security, and
the user does not want threaded comments - leave as is.
2. If the user adds their own plugins - recommend upgrade.
3. If the site is using plugins that have not yet been updated for 2.8, then
wait.
Lynne
More information about the wp-hackers
mailing list