Skip to content
 

Older WordPress Versions Are Insecure

Image representing WordPress as depicted in Cr...
Image via CrunchBase

I have said this many times before: UPGRADE WORDPRESS WHEN PROMPTED.  This one is in the style of “beating you about the head and body and then caning you across the eyeballs“.  Why?  Because a hack has been discovered that makes your older, more stable, more comfortable WordPress.org install very insecure and really you may as well make the password Pa55w0rd – because your older version can and will be pwned.

Now that I have your attention….  Go to Lorelle’s site, Robert Scoble’s site and the WordPress Dev Blog to see details of this new exploit.  If you have version 2.8.4 (like what I do), you are more secure.  As well as upgrading, remove the default admin account and create a new one (reverse order, is good on that one), check for phantom admin accounts and make sure you are using a strong password.  There are other things to do, but that will keep you going for now.

I regularly get comments such as “if I upgrade it breaks all my plugins”, “my theme doesn’t work if I upgrade now” and so on.  You now get to make a value judgment: if you don’t upgrade you could end up no longer owning your blog vs giving up or changing a few plugins or a theme.  Which of these is the worst case scenario for you?

Upgrade now. You know it makes sense.

Reblog this post [with Zemanta]

Similar Posts:

This website uses IntenseDebate comments, but they are not currently loaded because either your browser doesn't support JavaScript, or they didn't load fast enough.

29 Comments

  1. MrCoreyNo Gravatar says:

    Here here! Keep on it and DROP THOSE SHITTY PLUGINS if they stop working – they're likely insecure in their design, too. I've been thinking about how to export WordPress back to Blogger, since they allow you to use your domain. I'd save on hosting costs that way, and I'd not get any more messages from the server admin asking me to fix mo script (referring to a page on the blog) when I get a bit of traffic. ;)

    • rayNo Gravatar says:

      Anyone who is more concerned about a plugin than their own site should just stop running the site. If a plugin author stops updating their software, find something similar that is updated.

      This post has been brought to you by The Bleedin' Obvious.

  2. [...] upline members and 3 first level downline members&#32&#97&#116 the members.php page. Older WordPress Versions &#65&#114&#101 Insecure – lostaddress.org 09/07/2009 Monday, 7 September 2009,&#32&#49&#57:09 PDT Image via [...]

  3. drewNo Gravatar says:

    Also another way to secure your site with 3rd party software like Wordpress is to disable users from registering their own account. Disable it, block it and it removes one of the known steps of those gaining access to something they shouldn’t have access to.

    • rayNo Gravatar says:

      It does, but in this case that won't work. Really, the only way to stay secure is to follow the steps and keep updated. That way older exploits won't work and you stay slightly ahead of newer ones.

      • hariNo Gravatar says:

        I agree. Wordpress has a lot of vulnerabilities that is built in by design. I don't see older versions as secure. I am sure that a full code rewrite will be necessary at some point rather than simply patching problems as they arise.

        • drewNo Gravatar says:

          Yeah, that’s why they ended support for 2.0.x branch because it would require too much patching since the newer versions are rewritten more than likely.

        • rayNo Gravatar says:

          You think that way because you understand the value behind the vulnerabilities and the newer versions. Too many people complain that [plugin 2.1] only works on earlier versions of WP, or that they made too many changes to upgrade, may as well just remove all passwords (maybe an exaggeration). Do the cost/benefit analysis: is it more of a hardship to lose a plugin or tweak or more of a hardship to lose your entire site and data. And then act appropriately.

      • drewNo Gravatar says:

        Yeah, I just wanted to point it out. Most people allow anyone to register. By not allowing someone or something an account just eliminates that step in gaining unauthorized access to a system.

  4. AnnaNo Gravatar says:

    Thanks for the info! I've just been thinking about the renewal of my WordPress version!

  5. I always renew my wordpress version , now i am wordpress 2.4

  6. kuhinjeNo Gravatar says:

    Thanks for the advice, I have to forward it to my boss, we own quite a few wp blogs going really old.

  7. ChrisNo Gravatar says:

    Good words of advise. I must admit that I usually trail upgrading by a month since I always want to be sure the new WP is bug free. But I need to remember that there's a reason a new version is out. The old one is FLAWED!

    • hariNo Gravatar says:

      Remember, the "old one" was once touted as the most secure version of WP (for that time being) so you really are safer only in a relative point of view.

      Is the new version "bug free" software? I think you'll have to wait a long, long time until you come across such a version. If or when the next vulnerability is discovered, it will become "flawed" again.

  8. SireNo Gravatar says:

    I always upgrade as soon as there is an update. I do it first on one of my less important or test blog, and if that works fine I upgrade the rest. I've put too much work into those blogs to take any chances, especially now when upgrading is so easy.

  9. Hi, I am running a wordpress blog (latest version)..someone commented …*typo: insecure..what does this means?? What do you think?

  10. ionce runned a blog on office design on word press. It worked fine, i moved to a proper web platform now because we needed a proper website. But i honestly think that word press is more than OK for the small and medium company.

    • MrCoreyNo Gravatar says:

      I'm curious what you used as a "proper web platform". whatever you're using now, it looks good. You could've done it with WordPress, as well – perhaps with a few choice plugins.

  11. RockyNo Gravatar says:

    You should make sure to always keep your WP up to date. Older platforms are insecure. Bloggers should also remove the code that lets everyone know which version they are running as well. This makes it easier for hackers to find their way in.

    • rayNo Gravatar says:

      Knowing the version doesn't make you more or less insecure. If the hole exists because you didn't update, then the hidden version number won't matter. This article on Wikipedia explains why security through obscurity is a bad idea.

  12. but how do i go about updating to newer version ?? because whenever i open my wordpress site, i get message saying , newer version is available , please contact your admin

  13. WP as long as it is opensource which makes it so amazing will always be prone to attack-as they say if it can be built, it can be unbuilt. Keeping on-top of the upgrades and in touch with the versions and vulnerabilities is essential.

  14. MSPBNo Gravatar says:

    I've seen some really ancient WordPress sites still around; they haven't been updated in 2 years or more. Some sites just cannot update because they run on custom themes and upgrading would mean they have to go and get a new theme.

  15. Bookmark HubNo Gravatar says:

    @MrCorey Is it that much insecure? I was thinking of changing from blogger to word press because I was thinking that I will get more traffic if I have .com domain. But now after reading your comment I have think twice before doing it.
    My recent post really funny jokes